On Mon, Aug 18, 2003 at 09:40:43PM +0100, Toad wrote: > On Mon, Aug 18, 2003 at 01:15:24PM -0700, pineapple wrote: > > I have a some questions. Is this problem exploitable? > > Is someone exploiting it to DOS nodes? Could you add > > the IP address for these negotiation threads into the > > thread dump? Do you have any suggestions on what I > > can do about this until NIO? Right now my node is > > completely useless as it's sending almost nothing out. > > We can get NGRouting working.
There should be a separation here. NGRouting should solve the network overload problems, or greatly reduce them. The following discussion relates to exploitability of the negotiation/session protocol. > Exploitable? Probably, although it'd be > relatively difficult - open 100 connections to a node simultaneously, as > slowly as possible without them actually disconnecting. Thus you can DoS > the node, using very little bandwidth. The problem is, even if > negotiations are non-blocking, we may want to impose a limit on them, > because of the considerable CPU they use, and the nonzero memory they > use; furthermore, even if negotiations are non-blocking, you still have > the connection limit, which you can also DoS. We could limit the number > of connections or negotiations per IP address, but then the attacker > will simply obtain more IP addresses. Nasty. *IF* negotiations are so > fast that you can't use the PK crypto involved to DoS the node on CPU, > (this is all assuming you are using a lot less bandwidth than would be > needed for a bandwidth-based DoS i.e. a lot less than the node's > incoming limit), some sort of message based protocol might avoid such > attacks... maybe. Oh and hash cash would be another possibility. > Sessionv2 will drastically reduce the CPU cost of session restarts, but > will leave the full negotiation protocol untouched. This is another > reason why we will be leaving most of the hostile environment stuff for > Freenet 2.0, if it's even possible then. > > > > ----- Original Message ----- > > From: "Toad" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, August 18, 2003 8:59 AM > > Subject: Re: [freenet-dev] too many threads > > > > The summary box just above that is useful too. Please > > include it in > > future dumps. As to the actual content... you have > > most threeads in > > PublicNIOInterface i.e. negotiating inbound > > connections. This is not > > uncommon. It will continue until we make negotiations > > non-blocking, or > > the load balancing problem is rectified. We have wide > > reports of it. We > > are going to try to see if NGRouting sorts out the > > load balancing > > problem and thus such issues; we will implement > > non-blocking > > negotiations AFTER NGRouting. > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! SiteBuilder - Free, easy-to-use web site design software > > http://sitebuilder.yahoo.com > > _______________________________________________ > > devl mailing list > > [EMAIL PROTECTED] > > http://hawk.freenetproject.org:8080/cgi-bin/mailman/listinfo/devl > > -- > Matthew J Toseland - [EMAIL PROTECTED] > Freenet Project Official Codemonkey - http://freenetproject.org/ > ICTHUS - Nothing is impossible. Our Boss says so. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
pgp00000.pgp
Description: PGP signature
