How does MaidSAFE prevent DDOS attacks?

Let’s say a resource is heavily requested. In BitTorrent and other Kademlia implementations, a computer downloading a resource also seeds it, so there is a balance between publishers and consumers.

In the SAFE network, the vaults can’t choose which section to belong to, and moreover each vault may only have a chunk of the file.

How exactly does the mechanism work to adjust for load balance for a particular resource? Does it get more redundantly stored across more sections in response to more requests, and if so, how? And how does it cache resources closer to the requester?

Also, what are the proposed economics of this? I have read (from this quora answer: https://www.quora.com/How-does-IPFS-compare-with-the-SAFE-Network/answer/Dan-K-76?share=55f104a7&srid=3gu) that publishers are actually going to get paid the more their resource is accessed? I have a few economic observations:

  1. Accessing your own resource shoud be costly or a zero-sum game at best, otherwise people would game this similar to clicking on ads hosted by their own website, to earn money.

  2. If access is absolutely free, then people can game this by launching denial-of-service attacks on particular resources.

It seems to me that the responsibility to provide a resource should accrue equal to the amount of resource consumed. Providing a resource could be done either personally, or via paying safecoin. If you don’t have enough safecoin to provide a resource, you shouldn’t be able to access it either.

There can be a “free tier” for known members with a reputation (ie no sybil attacks). For example a certain amount of resource access per day. But you can’t just have unlimited amounts. I suppose if you have no limits then each section can adjust its resource availability based on the proportion of the requested resource.

3 Likes

Short answer - Caching.

As the resource is accessed more and more there will be more and more caching occurring in nodes closer to the requesting clients

DDOS on clearnet works because they are tying up a “single” link with so much traffic that no one can use the server

In SAFE the network is sourcing the data from many sources due to caching and those sources are ones closer to the client requesting the data. So a DDOS from 10000 machines will end up having 40000 or more nodes supplying the data to them

As far as people DDOSing a particular resource, we see that its not really possible and as history shows DDOS attacks do not last for very long. People get bored. Its expensive to keep it up. Ever tried to purchase a botnet to do a DDOS. Its expensive.

EDIT: and about cost. The farming rewards are supposed and will be made to cover the costs of the farmer (running the NODE/vault) including the cost to store, bandwidth of supplying data from the vault, the cache and the hopping of the chunks.

Most of these questions has been discussed many times on the forum and perhaps a good search of the question might get you a lot of good information about the question.

19 Likes

Love the way you summarize the network and it’s mechanics neo. A priceless asset to the community.

6 Likes

Right!? It’s like highway robbery! Hate it when that happens but I did find some pretty great coupon codes online for botnets if anyone’s interested. :joy::wink:

4 Likes

Thanks for the info! Are there any good links to forum topics that explain how the caching actually is implemented?

I know you say to do a search but if the search is easy then maybe you can find the links you’re thinking of.

1 Like

Its late here for me and I don’t have time anymore. But the first few of this search should give you some reading. Just remember that caching is one of the later features to be implemented and not sure when it will be implemented

https://forum.autonomi.community/search?q=cache

1 Like

MaidSafe is based on a secure Kademlia implementation. DDOS isn’t the biggest threat in Kademlia, Eclipse and Sybil are bigger threats which MaidSafe also strives to protect against. For an example see BitTorrent (thepiratebay) which governments have been attacking for a long time which uses a stripped down variant of Kademlia which reveals contact information. MaidSafes implementation is a lot more resilient since it has been designed with security in mind - if a node doesn’t follow the protocol then they are ignored, the only time contact information is shared is either via whitelisting at bootstrap or in accordance with the protocol (a finite state machine with presumed cryptographic security).

To answer the title of the question - MaidSafe is resistant to DDOS not because of caching but because theres no way to tell geographically which nodes store a particular instance of some data. Nodes can use rate limiting in order to limit the amount of messages they receive so that they can’t individually be DDOSed and may penalise nodes which have malicious behaviour by marking them as such and sharing with the rest of the network. It is very difficult to DDOS a resource which is split into chunks across an XOR space with no geographic correspondence.

For ‘how exactly does the mechanism work’ there are docs in MaidSafe github or search Wikipedia for Kademlia. Theres also S/Kademlia paper which shows you how Kademlia can be secured against different types of attacks.

4 Likes

So how do you prevent Sybil attacks from forming their own rogue sections or taking over sections? For example I can think of the following motivated attack:

  1. A sets up to pay B a lot of safecoins and remembers their ids

  2. A colludes with the sections storing the safecoins thanks to months of preparation infiltrating the sections with sleeper agent safes (nodes)

  3. The sections report that A paid B and now B owns the safecoins.

  4. B sends the goods

  5. A tells the sections to “forget” the history of the safecoins being watched

@neo do you have an explanation for what measures MaidSAFE has for mitigating this specific scenario?

Is it that the sections look after MANY things and won’t want to forget updates to the safecoins because they’ll also forget lots of other stuff?

Encryption doesn’t help here because A knows the ids of the safecoins and thus which sections and safes will look after it.

If the amount A paid B exceeds the cost to the sections of colluding, why wouldn’t they collude?

Lets say an attacker sets up their own sections. What mechanism is there for them to be accepted into the SAFE network. No section in the SAFE network will recognise them as being part of the SAFE network.

There is a good topic or two talking of bad actors and explores this scenario. And some surprising results from simulations done by a few people including @mav and @tfa

The issue here is do the bad actor nodes have enough (67%) elders in the specific sections that will be involved in your scenario.

For your scenario to work there has to be 67% of elders in the section to be these bad (sleeper) nodes. Now if you were able to do this then I’d not worry about “goods” but you would change the owner of coins under the control of the section to yourself. And create coins for empty coin addresses. Maybe only do a portion so its not too obvious.

Once you reach 67% of elders then you do as you please in the section, pure and simple and the SAFE network has no current defence against that once it happens.

Now getting to that stage is an expensive exercise because you must be able to get your bad actor nodes into one section. Any section probably will do but it has to be one section. This would take a lot of time and need to be restarting the bad nodes until “random” allocation of those nodes end up in that section. But it made more difficult by the fact that only one new node is allowed at any time and it has to age. If the section has plenty of child, adult, elder nodes then it will not accept any more nodes. Then those “bad” nodes have to age all the way up to elders. But the section does not promote nodes to being elders till the section needs more elders and there is a node old enough to be an elder.

From this we see that it will both take time (which costs) and its possible that no bad actor nodes will become elders once you choose a section to attack.

So then you decide to add bad elders by the 10s or 100s of thousands to the safe network. You still will see only a portion accepted as infants in any given timeframe and need to keep retrying. Then its like above, but now you will have many sections and some at least will see your bad actors promoted eventually to elders.

What I am saying is its expensive to do this and its a waiting game of potentially many months to get one section with some elders and perhaps longer to get to 67% in one section. Obviously the more money and time you have the greater chance you have of getting there.

Once there you simply create coins at the addresses under the section’s control where there is no coins and set the owner to yourself. Will that be enough to repay the cost of doing it? Dunno, it may be or not be enough.

Then David suggested that once a person is adding all these bad actor nodes that have to do all the work of good nodes and earning coins for farming before attacking, it might be more profitable for the attacker to just farm and stay good.

3 Likes

Why? Can you elaborate on what is going on there?

Its more how can they join the safe network.

  • No section or node in the safe network will recognise the IDs of the foreign sections/nodes
  • Sections know their neighbour sections. So the foreign is unknown to any safe sections and so they are not considered part of the network and any communications from the foreign sections/nodes will not be accepted.
1 Like

Ok let me ask another possibility. I know this sounds silly but I called it the “early attack”. How do I know that while the network is small, entire malicious sections weren’t already added, to collude later with other safes coming in and take over sections in the future?

I realize this is probably stupid to do for MaidSAFE since it would undermine their own network. But just as a theoretical possibility, I am wondering because I am thinking about these architectural issues in general.

Not a silly question and one we discussed in the topic I’ve got to find for you.

If an attacker adds nodes when the network is very small (eg only a few hundred/thousand nodes) then it’d be easy to take over the network. You’d have to restart the network.

It is an important question and one we have to work out a solution to.

It will be important early on for all those in this forum and others who wish SAFE to succeed to be adding their nodes to help build the network to a point where what you describe is not easy and maybe impossible.

Another point is that while bad actors are acting good before they attack, they can lose a controlling number of elders due to node churn and section splitting as good nodes are added. If that were to occur then your initial infected network could lose its ability to disrupt if you don’t keep adding bad actor nodes.

For example if you add 50000 bad actor nodes while the network has only 50000 other nodes then most likely you have controlling elders in a significant number of sections and even more sections with a disruption ability. Now if another 200000 good nodes are added then you might only have a few sections where you could control and a few more where you could disrupt. Now if another 200000 good nodes are added then you maybe able to control none. So if you wait too long then you lose the ability to control. Thus you’d need to keep adding more bad actor nodes to maintain a potential control (some) sections.

All this time of course it is costing something for you to do this.

So I see most attacks happening in a short timeframe or not being successful. Except if started when network is small and adding all the time, till attack.

3 Likes