IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2023/05/06
itsjustme *** pokes head in ***
itsjustme *** waves at dr|z3d ***
itsjustme *** sits back down ***
RN aloha itsjustme
itsjustme hey RN :D
itsjustme how have you been?
itsjustme long time no see
xeiaso Hey hey hey itsjustme
itsjustme hey xeiaso!
RN I've been prety distracted... LOL
RN surviving mostly.
RN been a while since you've spoken, how's things for you?
itsjustme Going ok here :)
itsjustme just been busy for a while
xeiaso >as you can see, now I have ~40k peers, ~30k floodfills and in total about of 1 million files in the I2Pd profile directory.
xeiaso oh my i2pd
xeiaso (not mine tho)
orignal ok guys. looks like nobody is interested to discuss mitignation of the attack
orignal it's pity
xeiaso orignal: why do you say that?
dr|z3d what's up, orignal? anything new?
orignal because I don't see discussion about it
xeiaso aren't you guys discussing it on #dev?
orignal yes, but I want Java guys be involved
orignal basically now I consdier a router as floodfill only if there was either tunnel accept or rject code from it or if it connected to me as Alice before
orignal otheraide I put it on hold and consider it as an ordinary router until one of those happens
xeiaso and you don't give it out as a response to a DatabaseLookup?
xeiaso as a not found response thingy
orignal correct
orignal no I do if it's requested explicitly
orignal but not in "closest" list
orignal unfortunally we can't rely if we connected to it
xeiaso that does look like it will fix it
orignal due this weakness of our protocol
xeiaso are you sure that it isn't an i2pd weakness? because I vaguely remember writing some code that could connect to i2pd but not java i2p
orignal after short time we always have only real floodfills
orignal no it's prptocol
orignal when you connect to Bob you never know you connect to right one
xeiaso i see
orignal it needs to be change
orignal one it's done we can also add if we connected to it
xeiaso I noticed in ntcp2 that in SessionRequest Alice's X key is obfuscated using Bob's router hash
eyedeekay I've been following dev but I don't read russian so I machine translate it and read it back, but re: Alice-only floodfills, I am also working on something like that by adding it to our profiling.
xeiaso if the bob RI is spoofed then bob shouldn't properly decode Alice's X key
eyedeekay What I am going to do is make it part of how we pick floodfills to put former alices at the top, and if there is an alice on the same IP as a non-alice we may drop the non-alices
eyedeekay The goals being to improve selection and reduce false-positive blocking
xeiaso Alices being inbound connections?
orignal no, unfortunately it uses i
orignal not Router's key from identity
xeiaso X :: 32 bytes, AES-256-CBC encrypted X25519 ephemeral key, little endian
xeiaso key: RH_B
orignal attack can also copy i
eyedeekay Alice's being peers we have connected to when they were Alice, recently, i.e. not spoofed
xeiaso iv: As published in Bobs network database entry
xeiaso it uses both?
orignal let me check
orignal xeiaso very good ctach
orignal if uses Bob's ident hash as AES key
orignal hence NTCP2 is securew
orignal so the only problem is SSU2
eyedeekay That's good news
xeiaso I wouldn't know, I haven't looked at SSU2
orignal I forgot about it though we alwyas use i
dr|z3d introducers?
orignal no. "i" key in an address
eyedeekay one problem is just usually better than two. I also tried a less-aggressive version of mesh's aggressive floodfills idea, and increased exploratory tunnels by 2, 4, and 6, which did correlate to better bsr overall by up to 20%
xeiaso eyedeekay: I'm guessing that's because it invalidated the garbage RIs faster.
eyedeekay That's my hypothesis too
dr|z3d ah, gotcha, orignal
dr|z3d eyedeekay: mesh's aggressive ff exclusion idea is based on observation of what I'm doing in I2P+ :)
dr|z3d I'm seeing just how aggressive we can be right now without unwittingly banning good floodfills.
eyedeekay Yeah some interesting stuff going on there
dr|z3d I wasn't using the correct variable for ff bans in the selector, so the bans weren't being put in effect there. elsewhere, because I'm banning at various entry points to the netdb, but not there. now testing fixed ff selector.
dr|z3d once I've determined it's not going to totally hose the router, I'll upload.
orignal eyedeekay I have another idea. Just introduce IdentHash block similar to RouterInfo
orignal kinda "brief" version
orignal why can't we just send RouterInfg with SessionCreated
orignal because it might not fit one packet
dr|z3d is there where a network rekey so everyone's on compressible RIs becomes more compelling?
orignal compressibel RI might not be a solution
orignal and we send 2 fragments from SessionConfirmed
xeiaso orignal: you could send it in the next frame after then SessionCreated
xeiaso and it's sent immediately after connect already
orignal you mean Data?
xeiaso yes as data
orignal it's another option
eyedeekay I don't think I can get away with an all-compressible RI switch here
eyedeekay In any case
dr|z3d it's something zzz raised in passing a while back when compressible RIs were introduced. I just wondered whether that's a potential piece of a solution. Do compressible RIs fit in 1 packet?
RN because of backward compatibility?
dr|z3d itsjustme: welcome back!
dr|z3d RN: in essence, yes. if we force compressible RIs on the network, then older routers get left behind.
orignal they do but you can't rely on it
xeiaso speaking of backwards compatibility, how far back does it go?
eyedeekay Oh jeez like, 0.9.22 or something like that, at least for regular I2P
eyedeekay We only talk SSU to routers that old
eyedeekay I am continually baffled as to why people run versions that old but there is a definite populatio out there
itsjustme thanks dr|z3d :)
dr|z3d all good over there, itsjustme? :)
itsjustme yeah all is well overall. Been busy but otherwise good :) hbu?
dr|z3d not bad, thanks, though the recent network attacks are tedious :|
itsjustme yeah, for a while things just weren't working so I turned off i2pd for a bit
itsjustme seems like things are working ok for now at least
dr|z3d if you can compile your own builds, worth keeping abreast of the git repo.
dr|z3d orignal's chasing down issues like nobody's business :)
mesh things aren't really normal here
mesh I've got 20k banned routers
eyedeekay It's been an abnormal day in that way, 17k here, how things otherwise
RN 47k and 15k banned on mine
albat hi RN :) all :)
mesh eyedeekay: it looks like the same as the previous 2-3 days... not exactly sure why people are celebrating
mesh eyedeekay: unusually high floodfill count followed by unusually high banned count. The number of active routers is down quite a bit
mesh fortunately by configuring the router to be a very aggressive floodfill we're not seeing loss of connectivity. i2p services are still available
xeiaso mesh: is there a site that shows the number of active routers like stats.i2p did?
mesh xeiaso: you can try i2pmetrics.i2p
eyedeekay It is skewed by the spam right now
xeiaso if the RIs are cloned, why does the "new" stats.i2p show tons more IPs?
eyedeekay They're not all cloned anymore
mesh xeiaso: a wave of fake floodfills are sending out wavess of forged RIs
RN if this was radio, we could find the frequency of the waves invert it (with a slight phase shift) amplify it and cause the source to blow up
RN (very oversimplified version)
mesh RN: yeah that's not how radio works at all
RN LOL
RN if you are close enough, yes you can pop someone's transmitter. but I did say it was oversimplified.
RN I also neglected to mention you have to amplify to levels that are probably not legal
RN been there and done that
weko [01:15:57] <eyedeekay> I've been following dev but I don't read russian so I machine translate it and read it back, but re: Alice-only floodfills, I am also working on something like that by adding it to our profiling.
weko Anyway, what do you think about general (protocol-level) profiling rules recommendations?
not_bob Russian is fun to learn.
weko not_bob_afk: спокойной ночи!
not_bob_afk weko: спасибо
eyedeekay weko do you mean defining the procedures we're using to optimize the peers we connect to and making it part of the description of the netDB, or the various proposals re verifying Bob's signature?
weko eyedeekay: moxtly first, but I think what profiles are not a part of netdb, it should be separate. General goal is 1) define full list of rules of good router and 2) describe new and better old practics of profilng.
weko P.S. In "Profiling" I mean any algorithms, that help do not use bad and danger routers, protect from abuse (by general parameters and router-specify parametrs).
weko It also can require adding some new features (like tunnel speed limitation by transits)
weko it is nessary for fix some really stupid problems with RIs, global fix of most DDoS attacks, better connections and other improvments
T3s|4 dr|z3d: minor stuff, but pretty sure I've used 3 of latest versions of -20+, and for each of those 3, the Build date did change, but the Revision '436631ca' did not change. I can see on my other laptop, both the Build date and Revision have changed under -21+
dr|z3d T3s|4: that's fairly normal for dev builds, sometimes they get uploaded before the changes are committed, so the revision won't change.
T3s|4 np dr|z3d - but been a tad bumpy ride of late ;p
dr|z3d bumpy ride is about right. :)
dr|z3d bump, T3s|4_, is almost 10K bans in 20m of uptime. :)
dr|z3d *bumpy
weko you again ban all routers? wtf with tcsr
dr|z3d are you asking a question, weko?
weko Can your code ban real router because fake RIs?
weko routers*
dr|z3d it doesn't work like that.
dr|z3d you're talking about sybil detection. that's something entirely different.
dr|z3d currently on the router I'm looking at there are precisely 0 bans for sybils.
orignal xeiaso_ thanks will limit to 8
orignal good ctach
dr|z3d I think there's a hard limit referenced in the specs, orignal
dr|z3d 7 hops max.
orignal it's my fault that I don't check number of records
orignal you never know number of hops
orignal you can only check number of records that's 8
dr|z3d great way to choke up the network, 255 hop tunnels :)