itsjustme
*** pokes head in ***
itsjustme
*** waves at dr|z3d ***
itsjustme
*** sits back down ***
itsjustme
hello
RN
aloha itsjustme
itsjustme
hey RN :D
itsjustme
how have you been?
itsjustme
long time no see
xeiaso
Hey hey hey itsjustme
itsjustme
hey xeiaso!
RN
I've been prety distracted... LOL
RN
surviving mostly.
RN
been a while since you've spoken, how's things for you?
itsjustme
Going ok here :)
itsjustme
just been busy for a while
xeiaso
>as you can see, now I have ~40k peers, ~30k floodfills and in total about of 1 million files in the I2Pd profile directory.
xeiaso
oh my i2pd
xeiaso
(not mine tho)
itsjustme
:D
orignal
ok guys. looks like nobody is interested to discuss mitignation of the attack
orignal
it's pity
xeiaso
orignal: why do you say that?
dr|z3d
what's up, orignal? anything new?
orignal
because I don't see discussion about it
xeiaso
aren't you guys discussing it on #dev?
orignal
yes, but I want Java guys be involved
orignal
basically now I consdier a router as floodfill only if there was either tunnel accept or rject code from it or if it connected to me as Alice before
orignal
otheraide I put it on hold and consider it as an ordinary router until one of those happens
xeiaso
and you don't give it out as a response to a DatabaseLookup?
xeiaso
as a not found response thingy
orignal
correct
orignal
no I do if it's requested explicitly
orignal
but not in "closest" list
orignal
unfortunally we can't rely if we connected to it
xeiaso
that does look like it will fix it
orignal
due this weakness of our protocol
xeiaso
are you sure that it isn't an i2pd weakness? because I vaguely remember writing some code that could connect to i2pd but not java i2p
orignal
after short time we always have only real floodfills
orignal
no it's prptocol
orignal
when you connect to Bob you never know you connect to right one
xeiaso
i see
orignal
it needs to be change
orignal
one it's done we can also add if we connected to it
xeiaso
I noticed in ntcp2 that in SessionRequest Alice's X key is obfuscated using Bob's router hash
eyedeekay
I've been following dev but I don't read russian so I machine translate it and read it back, but re: Alice-only floodfills, I am also working on something like that by adding it to our profiling.
xeiaso
if the bob RI is spoofed then bob shouldn't properly decode Alice's X key
eyedeekay
What I am going to do is make it part of how we pick floodfills to put former alices at the top, and if there is an alice on the same IP as a non-alice we may drop the non-alices
eyedeekay
The goals being to improve selection and reduce false-positive blocking
xeiaso
Alices being inbound connections?
orignal
no, unfortunately it uses i
orignal
not Router's key from identity
xeiaso
X :: 32 bytes, AES-256-CBC encrypted X25519 ephemeral key, little endian
xeiaso
key: RH_B
orignal
attack can also copy i
eyedeekay
Alice's being peers we have connected to when they were Alice, recently, i.e. not spoofed
xeiaso
iv: As published in Bobs network database entry
xeiaso
it uses both?
orignal
sec
orignal
let me check
orignal
xeiaso very good ctach
orignal
if uses Bob's ident hash as AES key
orignal
hence NTCP2 is securew
orignal
so the only problem is SSU2
eyedeekay
That's good news
xeiaso
I wouldn't know, I haven't looked at SSU2
orignal
I forgot about it though we alwyas use i
dr|z3d
introducers?
orignal
no. "i" key in an address
xeiaso
salt
eyedeekay
one problem is just usually better than two. I also tried a less-aggressive version of mesh's aggressive floodfills idea, and increased exploratory tunnels by 2, 4, and 6, which did correlate to better bsr overall by up to 20%
xeiaso
eyedeekay: I'm guessing that's because it invalidated the garbage RIs faster.
eyedeekay
That's my hypothesis too
dr|z3d
ah, gotcha, orignal
dr|z3d
eyedeekay: mesh's aggressive ff exclusion idea is based on observation of what I'm doing in I2P+ :)
dr|z3d
I'm seeing just how aggressive we can be right now without unwittingly banning good floodfills.
eyedeekay
Yeah some interesting stuff going on there
dr|z3d
I wasn't using the correct variable for ff bans in the selector, so the bans weren't being put in effect there. elsewhere, because I'm banning at various entry points to the netdb, but not there. now testing fixed ff selector.
dr|z3d
once I've determined it's not going to totally hose the router, I'll upload.
orignal
eyedeekay I have another idea. Just introduce IdentHash block similar to RouterInfo
orignal
kinda "brief" version
orignal
why can't we just send RouterInfg with SessionCreated
orignal
because it might not fit one packet
dr|z3d
is there where a network rekey so everyone's on compressible RIs becomes more compelling?
orignal
compressibel RI might not be a solution
orignal
and we send 2 fragments from SessionConfirmed
xeiaso
orignal: you could send it in the next frame after then SessionCreated
xeiaso
and it's sent immediately after connect already
orignal
you mean Data?
xeiaso
yes as data
orignal
it's another option
eyedeekay
I don't think I can get away with an all-compressible RI switch here
eyedeekay
In any case
dr|z3d
it's something zzz raised in passing a while back when compressible RIs were introduced. I just wondered whether that's a potential piece of a solution. Do compressible RIs fit in 1 packet?
RN
because of backward compatibility?
dr|z3d
itsjustme: welcome back!
dr|z3d
RN: in essence, yes. if we force compressible RIs on the network, then older routers get left behind.
orignal
they do but you can't rely on it
xeiaso
speaking of backwards compatibility, how far back does it go?
eyedeekay
Oh jeez like, 0.9.22 or something like that, at least for regular I2P
eyedeekay
We only talk SSU to routers that old
eyedeekay
I am continually baffled as to why people run versions that old but there is a definite populatio out there
itsjustme
thanks dr|z3d :)
dr|z3d
all good over there, itsjustme? :)
itsjustme
yeah all is well overall. Been busy but otherwise good :) hbu?
dr|z3d
not bad, thanks, though the recent network attacks are tedious :|
itsjustme
yeah, for a while things just weren't working so I turned off i2pd for a bit
itsjustme
seems like things are working ok for now at least
dr|z3d
if you can compile your own builds, worth keeping abreast of the git repo.
dr|z3d
orignal's chasing down issues like nobody's business :)
mesh
things aren't really normal here
mesh
I've got 20k banned routers
eyedeekay
It's been an abnormal day in that way, 17k here, how things otherwise
RN
47k and 15k banned on mine
albat
hi RN :) all :)
albat
pm?
mesh
eyedeekay: it looks like the same as the previous 2-3 days... not exactly sure why people are celebrating
mesh
eyedeekay: unusually high floodfill count followed by unusually high banned count. The number of active routers is down quite a bit
mesh
fortunately by configuring the router to be a very aggressive floodfill we're not seeing loss of connectivity. i2p services are still available
xeiaso
mesh: is there a site that shows the number of active routers like stats.i2p did?
mesh
xeiaso: you can try i2pmetrics.i2p
eyedeekay
It is skewed by the spam right now
xeiaso
if the RIs are cloned, why does the "new" stats.i2p show tons more IPs?
eyedeekay
They're not all cloned anymore
mesh
xeiaso: a wave of fake floodfills are sending out wavess of forged RIs
RN
if this was radio, we could find the frequency of the waves invert it (with a slight phase shift) amplify it and cause the source to blow up
RN
(very oversimplified version)
mesh
RN: yeah that's not how radio works at all
RN
LOL
RN
if you are close enough, yes you can pop someone's transmitter. but I did say it was oversimplified.
RN
I also neglected to mention you have to amplify to levels that are probably not legal
RN
been there and done that
weko
[01:15:57] <eyedeekay> I've been following dev but I don't read russian so I machine translate it and read it back, but re: Alice-only floodfills, I am also working on something like that by adding it to our profiling.
weko
Anyway, what do you think about general (protocol-level) profiling rules recommendations?
not_bob
Russian is fun to learn.
weko
not_bob_afk: спокойной ночи!
not_bob_afk
weko: спасибо
eyedeekay
weko do you mean defining the procedures we're using to optimize the peers we connect to and making it part of the description of the netDB, or the various proposals re verifying Bob's signature?
weko
eyedeekay: moxtly first, but I think what profiles are not a part of netdb, it should be separate. General goal is 1) define full list of rules of good router and 2) describe new and better old practics of profilng.
weko
P.S. In "Profiling" I mean any algorithms, that help do not use bad and danger routers, protect from abuse (by general parameters and router-specify parametrs).
weko
It also can require adding some new features (like tunnel speed limitation by transits)
weko
it is nessary for fix some really stupid problems with RIs, global fix of most DDoS attacks, better connections and other improvments
T3s|4
dr|z3d: minor stuff, but pretty sure I've used 3 of latest versions of -20+, and for each of those 3, the Build date did change, but the Revision '436631ca' did not change. I can see on my other laptop, both the Build date and Revision have changed under -21+
dr|z3d
T3s|4: that's fairly normal for dev builds, sometimes they get uploaded before the changes are committed, so the revision won't change.
T3s|4
np dr|z3d - but been a tad bumpy ride of late ;p
dr|z3d
bumpy ride is about right. :)
dr|z3d
bump, T3s|4_, is almost 10K bans in 20m of uptime. :)
dr|z3d
*bumpy
weko
you again ban all routers? wtf with tcsr
dr|z3d
are you asking a question, weko?
weko
Can your code ban real router because fake RIs?
weko
routers*
dr|z3d
it doesn't work like that.
dr|z3d
you're talking about sybil detection. that's something entirely different.
dr|z3d
currently on the router I'm looking at there are precisely 0 bans for sybils.
orignal
xeiaso_ thanks will limit to 8
orignal
good ctach
dr|z3d
I think there's a hard limit referenced in the specs, orignal
orignal
yes
dr|z3d
7 hops max.
orignal
it's my fault that I don't check number of records
orignal
you never know number of hops
orignal
you can only check number of records that's 8
dr|z3d
great way to choke up the network, 255 hop tunnels :)