Having not followed the projects' security process, presumably this is something the author didn't think was a serious issue themselves.
This doesn't appear to be new or interesting: If you exhaust a hosts incoming sockets it temporarily can't accept new connections.
Bitcoin itself already prioritizes existing and "good" connections to a substantial extent. Networks and IPs with multiple existing connections are prioritized for disconnection to handle new connections[1]. The result is that most existing connections are undisturbed, which makes it fairly ineffectual as an attack-- unless someone has broken something in the last couple years since I worked on it. A few years ago there were some periodic waves of people attempting attacks like this that went completely unnoticed in public due to their lack of meaningful effect.
It's annoying that new connections can be frustrated while an attack is ongoing, but since bitcoin connections are extremely long lived it doesn't have much of an impact, which is the security property the software is intended to uphold. The comment about 'finalization' suggests the author of the post isn't particularly familiar with how bitcoin works.
And at least if the attack is at a high enough rate, since the exhaustion will happen at the kernel before it gets to the bitcoin software, there isn't much for the bitcoin software to do. The host can implement firewall rules to mitigate, though even that can only work to the extent that the attack hasn't just effectively become volumetric.
It might be reasonable for the bitcoin authors to recommend some standard iptables rules that people should deploy as a best practice to protect their kernel's TCP stack (and avoid the issue that people will screw them up when coming up with their own).
i considered this and needed clarification. i didn't know whether the p2p connections remained open or made frequent disconnect/reconnects. what happens to sync'd nodes with active peers is yet to be seen. it's too early, at least for me, to know whether peers would drop a node under attack over timeouts, how bitcoind behaves with peers while tcp/8333 is experiencing stress, etc.
A large portion of a nodes connections live as long as possible given the uptime of the connected nodes. Care is taken it protect long working connections to provide as strong a protection against new and short lived attacks as possible-- a working network should stay working. A sustained attack can frustrate newly connecting/restarting hosts when the recipient is publicly reachable and known to the attacker, but I think that's essentially insoluble (if nothing else, a volumetric attack would guarantee it).
If you're going to be making announcements and whatever, you probably should have taken the time to characterize your observations completely! The failure to do so makes it kinda just look like more lamesauce attempts at market manipulation (not to lob an accusation, it's just what it looks like -- there is a long history of that kind of activity).
> it's too early, at least for me, to know whether peers would drop a node under attack over timeouts,
Do your homework! You're not the first person who ever thought of attacking a bitcoin node. While I'm sure there are areas for improvement, you're not likely to be able to make useful suggestions from a position of almost total ignorance.
>Do your homework! You're not the first person who ever thought of attacking a bitcoin node. While I'm sure there are areas for improvement, you're not likely to be able to make useful suggestions from a position of almost total ignorance.
again, i've successfully found remote crashes and dos issues in 25 - 30 blockchains. i don't care if you're a biased developer who takes this to heart. i'm going to see to brutalizing bitcoind and making it clear to you what happens when i attack nodes. cocky academics like you motivate me. he who laughs last etc.
Fantastic, I'm sure the bitcoin developers will appreciate the free labor. But if you care you have any reputation as anything but a hotheaded fool-- you should probably tone the public announcements down until you've actually completed your work! Otherwise, even when you do carry work though until you find something interesting (and I'm sure you would if you work at it long enough)-- you'll still have earned a poor reputation regardless.
i don't guard my reputation. this isn't 48 laws of power. i'd never become a blockchain socialite to the extent of social climbing to become blockstream's cto. i answer to no one and don't try to mold how others perceive me. interesting insults though - though i can assure you wholeheartedly that you don't want to make it personal. just so you know where you stand, who i am and who pulls rank on who. i rce'd slack too. bitcoin is food now. there is a dos here regardless - but thanks for the motivation
50k sockets looping requests make the p2p port entirely inaccessible at times. with more attacking machines it is reasonable to suspect that the target node(s) could be held down in perpetuity.
edit: re: child comment / syn flood; sure. bitcoind needs ip associated throttling baked in. there is no rationale behind a single machine attempting 1k handshakes a second. the attack shouldn't work at all.
You may as well just SYN flood at that point. None of this is really new, you can take down a lot of TCP based servers with the right combination of packets and volume.
inaccessible to external machines that are not participating in the attack. it's yet to be seen what happens to a node that's sync'd with active peers and whether a node under attack is kicked out of the network for timeouts or how bitcoind behaves in general while tcp/8333 is under fire.
bitcoind not having ip associated throttling edit: BUILT IN* is questionable. this attack shouldn't work on out-of-the-box installs of bitcoin. as i mentioned earlier - there is no rationale behind a single machine making 1k handshake requests per second.
node operators can implement their own throttling - sure - but how many bitcoin node operators are doing that to deflect a p2p ddos attack? even if some are, most aren't - and finality in the network could potentially suffer as a result of a massively scaled botnet attack.
edit: interesting child comment here. not pushing a patch just leaves the bulk of the network vulnerable to being ddos'd by a botnet - potentially resulting in severely lagged finality at best. ip throttling can/should be implemented by being baked into bitcoind.
The attacker used multiple nodes. Read the GitHub issue again. You are going to need more than one line and at some point you are going to notice that you want a software solution.
This doesn't appear to be new or interesting: If you exhaust a hosts incoming sockets it temporarily can't accept new connections.
Bitcoin itself already prioritizes existing and "good" connections to a substantial extent. Networks and IPs with multiple existing connections are prioritized for disconnection to handle new connections[1]. The result is that most existing connections are undisturbed, which makes it fairly ineffectual as an attack-- unless someone has broken something in the last couple years since I worked on it. A few years ago there were some periodic waves of people attempting attacks like this that went completely unnoticed in public due to their lack of meaningful effect.
It's annoying that new connections can be frustrated while an attack is ongoing, but since bitcoin connections are extremely long lived it doesn't have much of an impact, which is the security property the software is intended to uphold. The comment about 'finalization' suggests the author of the post isn't particularly familiar with how bitcoin works.
And at least if the attack is at a high enough rate, since the exhaustion will happen at the kernel before it gets to the bitcoin software, there isn't much for the bitcoin software to do. The host can implement firewall rules to mitigate, though even that can only work to the extent that the attack hasn't just effectively become volumetric.
It might be reasonable for the bitcoin authors to recommend some standard iptables rules that people should deploy as a best practice to protect their kernel's TCP stack (and avoid the issue that people will screw them up when coming up with their own).
[1] https://github.com/bitcoin/bitcoin/blob/master/src/node/evic...