On Mon, Aug 18, 2003 at 01:15:24PM -0700, pineapple wrote: > I have a some questions. Is this problem exploitable? > Is someone exploiting it to DOS nodes? Could you add > the IP address for these negotiation threads into the > thread dump? Do you have any suggestions on what I > can do about this until NIO? Right now my node is > completely useless as it's sending almost nothing out.
We can get NGRouting working. Exploitable? Probably, although it'd be relatively difficult - open 100 connections to a node simultaneously, as slowly as possible without them actually disconnecting. Thus you can DoS the node, using very little bandwidth. The problem is, even if negotiations are non-blocking, we may want to impose a limit on them, because of the considerable CPU they use, and the nonzero memory they use; furthermore, even if negotiations are non-blocking, you still have the connection limit, which you can also DoS. We could limit the number of connections or negotiations per IP address, but then the attacker will simply obtain more IP addresses. Nasty. *IF* negotiations are so fast that you can't use the PK crypto involved to DoS the node on CPU, (this is all assuming you are using a lot less bandwidth than would be needed for a bandwidth-based DoS i.e. a lot less than the node's incoming limit), some sort of message based protocol might avoid such attacks... maybe. Oh and hash cash would be another possibility. Sessionv2 will drastically reduce the CPU cost of session restarts, but will leave the full negotiation protocol untouched. This is another reason why we will be leaving most of the hostile environment stuff for Freenet 2.0, if it's even possible then. > > ----- Original Message ----- > From: "Toad" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, August 18, 2003 8:59 AM > Subject: Re: [freenet-dev] too many threads > > The summary box just above that is useful too. Please > include it in > future dumps. As to the actual content... you have > most threeads in > PublicNIOInterface i.e. negotiating inbound > connections. This is not > uncommon. It will continue until we make negotiations > non-blocking, or > the load balancing problem is rectified. We have wide > reports of it. We > are going to try to see if NGRouting sorts out the > load balancing > problem and thus such issues; we will implement > non-blocking > negotiations AFTER NGRouting. > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > _______________________________________________ > devl mailing list > [EMAIL PROTECTED] > http://hawk.freenetproject.org:8080/cgi-bin/mailman/listinfo/devl -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
pgp00000.pgp
Description: PGP signature
