I’m pretty concerned about the IPs of elders being exposed. Wasn’t a section vulnerable to stalling if 3 of the 7 elders were DDoS’d?
I’m only speculating… and share your concern, but thinking one answer might be so what? Why do it? What’s your motive, what can you achieve, what will this cost you to maintain for a significant period etc?
Can you answer those questions (at least hypothetically) to give us some sense of the threat here?
I can’t easily myself, esp watching a film (!), but I’m not sure there’s much benefit to hitting a section for a short period. You don’t do lasting damage, you cause temporary inconvenience to a relatively small random group of people you can’t possibly know, and so cannot target.
It feels like your be doing a blind DDoS of a few web pages chosen at random. No easy to target, no way to measure the inconvenience, no benefit to you. Is it really an issue?
What if many (OK define "many) sections are targeted with DDoS attacks on three of their Elders?
My questions remain. Define the damage, motive, cost, benefits of DDoS’ing “many” sections and ask whether it’s worth bothering.
Possibly an attack vector for a nascent testnet? Destroy confidence in the system? The probable opponents of SAFE are not interested in profit - the destruction/delay of SAFE is motive enough for them.
Motive is pretty straight forward. What’s crypto now, like $1.5T market cap? There is obviously motivation to disrupt the operations of any network that looks to be a competitor. Then there’s also the censorship of data angle that could also be a motivator. It isn’t hard to figure out which section certain sensitive data chunks live in.
How? Possibly when the network is vary small/new but assuming it grows to >10k users and a few hundred sections, how do you figure out where the juicy bits are?
I’m not sure you can “disrupt the network” through this approach. That needs answers to my questions to determine.
Let’s say they’re is some data you want to censor. I think that’s a good motive and an issue, but still limited. Firstly it’s easy to put up new copies with one byte modified, so if someone wants to publish you can’t block them for long without ever increasing costs (more cost to block for a short time than to publish forever I suspect) so really you only cause some inconvenience rather than censor. A valid attack but limited application and effectiveness?
And this was just an ‘internal’ power struggle, not a state actor level of attack.
Interesting but doesn’t I think help us decide the risk we’re discussing for Safe.
If it’s possible to destroy or even just hurt the network, somebody will do it. Burning “witches”, destroying 5G towers, or replacing vaccines and other medicines with water makes no sense either. Some people just enjoy destroying things. Maybe their god or “Q” tells them to do it. Motive doesn’t matter.
EDIT: The cost of destroying something does matter to most. But we have take into account trillionaires who are crazy/fanatical or even simply bored.
I agree, but my questions are aimed at understanding whether you can do these things. We shouldn’t just assume that’s achievable, we need to have some basis for thinking this attack is likely, and what the limits of its effectiveness would be.
I’ve suggested this could cause some limited inconvenience to some random people, for a limited period - something we’ve already learned to live with with the current web. I’m not saying that’s definitely the case, but saying I can’t see why it is worse than that based on very little analysis.
I suppose my concern is that of say TOR nodes, if a government knows nefarious things happen on the network in general and can find out the IPs of Elders then can they track them, shut them down and thereby disrupt the network?
Perhaps it would have to be highly coordinated and Elders should be replaced by most mature adults but losing all of a sections Elders at once can’t be good for data, knowing the network cannot shrink.
I don’t know how serious of a problem it really is but it does raise a lot of questions and a bit of concern if we don’t at least know what the impacts are or are not.
Great write up! My favorite part was “Step aside Satoshi, Safe Network’s here”
I had a similar concern some time back. Good points raised all around. I eventually became less concerned about it because sn could borrow from the methods that Tor is developing to address the same problem: How to stop the onion denial (of service) | The Tor Project
This doesn’t address @nigel’s attack of gov’s potentially targeting and shutting down specific nodes though. The legal basis for such a move are quite murky considering the encrypted nature of the data delivered.
You’ve all raised questions/concerns about what I lovingly call “The nasty neighbor attack”.
A few thoughts:
It’s a significant problem imo, one that’s always been there. There are ddos concerns and other out of band attack vectors. It’s not just elders but any exposed ip in the network. The issue is there in other networks too.
This being said, it’s not really something to stress about at present. An underlying anonymity network is a solution to the problem, but its hard to see how this would best be implemented until we have a stable testnet or beta network. Telling people to just use Tor is a terrible idea that is contrary to the safe network fundamentals imo. I would not be surprised if Maidsafe/dirvine has some tricks up their sleeves for how to address it.
I did some basic literature review about a year ago on potential solutions. The biggest challenge is that great anonymity is inversely related to performance. There are some naive solutions… but how many of you are willing to decrease your upload/download rate by 1000x for a 1000x increase in anonymity? Your 100Mb/s broadband would effectively become 100kb/s of actual data throughput. Depending on where you live it may be worth your while, but many people in the northern hemisphere will scream foul if they can’t stream 6 cat videos and a football game simultaneously in 4k.
Allows authorities to identify (some) nodes in their country. Elders being the first they go after.
North Korea has passed a law last year to allow the death penality for anybody introducing/using western culture “Elimination of Reactionary Thought and Culture”
Now I do not think China will go so far in the near future, but the runners of Elders would have their social score damaged by running an Elder. This will drop their score and restrict them to some extent. Like being limited in travel/work/shopping if their score was not high enough to start with.
It is of very serious concern that IP addresses of any Node is easy to get. Just running a client allows finding the IP addresses when accessing the network resources.
For test nets this is not of a concern but for launch (and later testnets) it is very much a concern @dirvine
I don’t believe “legal basis” is relevant at all. Governments torture and kill people all the time, often without making it legal first. If, for some reason, legality is preferred, laws can be changed or interpreted differently very quickly. And this is definitely not something that is only a problem in North Korea or China.
Hillary Clinton recently called for action against Bitcoin because “the technology” supposedly is “manipulated” by China and Russia. If a powerful person wants somebody or something dead, it will die, unless it’s mathematically impossible to kill them. I’m convinced plenty of “legal basis” for bombing e.g. El Salvador out of existence can be found, if their Bitcoin experiment goes too well.
PUTting the network to death might be expensive, but GETting it to death could be cheaper. I guess the latter is what is meant by a DDoS attack. Just some thoughts. I’m really out of my league here.
Here is my opinion on DOS/DDOS.
We can DOS a website, but there is a whole industry now with cloudflare etc. providing support there. So those attacks on specific open sites and those single targets are real.
You can DOS any known IP address, that is true for bitcoin, filecoin, chia and all blockchains AFAIK. Same for tor exit nodes and more. If an IP address can be found it can be DOS attacked, if it can be found. Some networks try to obfuscate that at a performance cost.
Bitcoin had a few seed IP addresses for a while using DNS to point to them, just a few. Skype had a few hardcoded contact machines (approx 6 BSD machines) to allow bootstrapping on the network for first contact.
So perspective can show the difference from it will definitely happen to actually read it might be possible there is an actor that will try this. History seems to show those actors are not automatically there fired up and ready to act.
So is it a problem? is it a problem for every network? and the answer is yes it is, but then we look at what problem is it? and then we need to be able to answer some questions:
- Did the network use time to validate nodes as good?
- Was time used to “timeout” messages that on not arriving kill the network?
- If consensus nodes pause would they fail to restart ?
There is much more to ask and the answer to the above for Safe with total order was yes, we would fail and the network would die! Wow, that was bad and a terrible design then. I agree, it was. So what to do?
Ae, CRDT, Section chains, no timers, no caches that can grow forever, no timeouts on the message that must be delivered, idempotency of network service. This is what allows a network or section to Recover from DDOS attack and this is where we are right now. This is a good place.
So can we prevent folk sending data to a node causing DOS/DDOS attack? likely not. Can we obfuscate traffic? of course, we can. Can we proxy traffic through different routes? yes, we can and there has been a ton of work done on removing the message source as having any authority to achieve this.
So breaking this down further
- Can DOS happen - Yes
- Can we recover from it - Yes
- Do we have the fundamentals in place to obfuscate traffic - yes
- Can we hide section elder addresses - not yet and maybe we never can!
I would say this is the state of play. It may happen, we can recover. It seems to not be as big an issue as we imagine it will be. Given the geographic distribution of nodes then state actors need to DDOS machines in other countries, that may not be a good look? In any case, this is my opinion of the issue and where we currently are.
tl;dr We have this in hand, it may never be solvable totally, it may never happen, but we can make it recoverable.
This is a good point, because I think the risk of a malicious actor “not looking good” is a much better defense than any legal aspects.
Was there any suggestion from anyone to just use Tor? Since my link above is the only one mentioning Tor, in case it wasn’t clear, the idea is to use the DDoS defense techniques that Tor is planning to implement (as explained on the linked page), not to use Tor itself.