IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#ls2
/2023/01/05
orignal if I receive tunnel build request with same tunnel id, do I drop it or send reply with error code?
dr|z3d on the java side, we drop tunnel requests we determine are hostile.
dr|z3d if (ourId <= 0 || ourId > TunnelId.MAX_ID_VALUE ||
dr|z3d nextId <= 0 || nextId > TunnelId.MAX_ID_VALUE) {
dr|z3d _context.statManager().addRateData("tunnel.rejectHostile", 1);
dr|z3d if (_log.shouldWarn())
dr|z3d _log.warn("Dropping hostile build request, BAD Tunnel ID: " + req);
dr|z3d if (from != null) {
dr|z3d _context.commSystem().mayDisconnect(from);
dr|z3d _context.banlist().banlistRouter(from, " <b>➜</b> HostileTunnel Request (BAD Tunnel ID)", null, null, _context.clock().now() + bantime);
dr|z3d _log.warn("Temp banning [" + from.toBase64().substring(0,6) + "] for " + period +
dr|z3d "m -> Hostile tunnel request (BAD TunnelID)");
dr|z3d return;
dr|z3d banning the router is optional, canon doesn't, cannon does.
dr|z3d (temp ban)
zzz same tunnel id as what?
dr|z3d got what the router's reporting as a forged RouterInfo here, seen a couple of those reported in the last few days
zzz ^^^ orignal 12 introducers ?!?!?
dr|z3d 12 introducers for an X tier floodfill no less.
orignal we never publish more than 3
orignal zzz, so I receive tunnel build request with record and my tunnelid I'm supposed to use for it
orignal then I find there is another transit tunnel with same id already
zzz send reject, you can't let somebody steal somebody else's tunnel, of course!
orignal what I do with ti? Drop or reject?
zzz we reject
zzz // Dup Tunnel ID. This can definitely happen (birthday paradox).
zzz // Probability in 11 minutes (per hop type):
zzz // 0.1% for 2900 tunnels; 1% for 9300 tunnels
zzz response = TunnelHistory.TUNNEL_REJECT_BANDWIDTH;
zzz orignal, do you let tunnels get stolen now?
orignal zzz what reject code? 30 or 10?
orignal what do you mean "stolen"?
zzz I see target LS with IBGW, I send tunnel build to IBGW with same ID. Do you detect the duplicate now, or do you send me all the target's traffic?
zzz <zzz> response = TunnelHistory.TUNNEL_REJECT_BANDWIDTH;
orignal right now I accept
orignal but use old one
orignal that's definitly bug
orignal so, code 30, right?
orignal when do you sedn code 10?
zzz 10 is during rapid increase in tunnels
zzz ok, so please verify, it is NOT possible to steal a tunnel?
orignal not possible to steal
zzz but if there IS a dup, my traffic will go to somebody else?
orignal just send 0 instead 30
orignal tell me in which case I should send 10
zzz lets finish the dup discussion first
orignal it will go through original tunnel
zzz ok, so I need to prevent i2pd from being my IBGW?
orignal as it published in LS
zzz I don't want my traffic going to the wrong guy
orignal you build a tunnel
orignal I'm IBGW
orignal it will not
zzz other way
orignal that's what I'm trying to say
orignal an advesary tries to steal tunnel
zzz somebody else builds tunnel through you as IBGW
zzz then I build tunnel through you with same ID
zzz my traffic goes to other guy
zzz not an attack, just bad luck
zzz <zzz> // Dup Tunnel ID. This can definitely happen (birthday paradox).
zzz <zzz> // Probability in 11 minutes (per hop type):
zzz <zzz> // 0.1% for 2900 tunnels; 1% for 9300 tunnels
orignal how can you build with the same id unintentionally?
orignal I will just fix it
orignal 30 instead 0
zzz sure, but I think I need to avoid i2pd as IBGW
zzz I don't want any chance of my traffic going to somebody else
orignal it works for many years
orignal and will be fiex in the next release
zzz it's a security issue I think
orignal have you ever seen sombebody else's traffic?
zzz I get decrypt fails all the time
orignal me too
orignal but there are bunch of other reasons
zzz hmm. actually I'd have to avoid i2pd for all hops, not just ibgw
orignal nice ))
zzz not ideal
orignal as I said wait for the next release
zzz I;ll have to think about it
dr|z3d how you getting on with those bloom filters, orignal?
orignal in this case that guys will not be able to decrypt your traffic
orignal because only you can
orignal dr|z3d will implement in few days
dr|z3d great stuff
zzz right
orignal we can also make 2.45.1 with bloom filter and transit tunnels fixes
zzz you're at 2.3% of network now
orignal yes, and you can see stabilization of creating rate now
orignal *creation
orignal people are slow with updates
orignal but big routers update
orignal 30-40% now
orignal vs. 10-20 last week
zzz why do you think it improved so much?
orignal because new i2pd routers can process much more traffic
orignal and no 2500 transit cap
orignal it's 5000 for regular and 10000 for floodfill
zzz but it's a small % of the network
orignal hence less chance that tunnel build get rejected
orignal maybe Java nodes have less load
zzz no change in avg. part. tunnels
orignal then how do you explain it?
orignal still bunch of transit
orignal and still a lot of traffic
zzz your build limiter?
orignal but rate is higher
orignal as I mentioned before 4 tunnels at the time per dest
orignal regardless actual quatity
zzz so, if you were spamming tunnel builds before and getting rejected all the time, that's why
orignal number of trabsit tunnels is the same
orignal on my routers
zzz remember, your SSU2 session request failed one chance in 16, so that's 6% right there, plus 6% for every other i2pd router in the tunnel or reply tunnel (if not connected before and using SSU2)
zzz the X routers report a big drop in tunnels starting about 48 hours ago
orignal so you think that abuser got updated?
zzz you can check, drz gave you the router hashes
orignal implemented filter for SSU2
obscuratus orignal: Thanks, I'll give the lastest a spin on my testing network.
orignal obscuratus it's not complete yet
orignal SSU2 only
orignal also need to implement it for tunnels
orignal but should be better anyway
obscuratus orignal: OK.
zzz I predict the SSU2 filter will fix 99.9% of the issues in a testnet
zzz it's hard to think of a scenario where an IBGW filter would catch much if everybody has a SSU2 filter
orignal maybe
orignal zzz you promised to tell about code 10