The Nasty Neighbor Attack: DDOS and OOB social vectors

Worth highlighting again. Couldn’t agree more.


This is real and happening now (maybe still in the rolling out phase) in the sense that Chinese Government are adjusting their citizen’s “Social Score” which affects everything from employment, travel, where/what they can buy, etc. Some are effectively in “home” detention where they cannot travel outside of a digitally gated area and limited in housing they can get and so on.

Now when the government can get IP addresses of elders then they can see if any they find are in China and adjust the citizen’s score. All can be done with scripts and a few clients accessing random data using the elder IP addresses they find and adjust the Social Score automatically. That citizen may find his holiday to another region in China or outside China has been cancelled.

This means the Chinese would be reluctant to run nodes because of the ease the Government can find them and reduce their standard of living automatically.

Is the proposed system going to have any anonymity safeguards to reduce this happening @dirvine as I feel this is important. I used China’s social score to show the real life effect it will have on the Chinese, but other countries could (Australia plans to) have a social score system and like the Chinese one simply buying 2 bottles of Rum could drop ones score and buying nappies raise the score in real time.

To me this is more important than general DDOS/DOS attacks as its social engineering by the governments on their own citizens. Although some malicious people could take out a section by attacking 3 elders at once. Can the section elect new elders with 4 out of 7 and maybe one of the 4 left is malicious anyhow. Could DDOS/DOS be a way to effectively make 2 malicious elders more effective by taking out another elder?


This is a grey area, totally. Say we could make Elders anonymous with hidden IP and so on. So invisible.

In a state where they say running such a node is an offence then does it matter if it’s anonymous? The people of the country may be so scared of folk tipping off authorities or the risk of decloaking something via some fancy AI sniffers, even enough “evidence” for police to kick your door in and look for themselves.

So that’s the bad part, but in such countries perhaps running an Elder is not good (right now), Adults probably OK and clients for sure OK.

Even then folk transacting and getting receipts will de-cloak people and this is where we have issues with folk in the “free West” demanding features that the network 100% needs and requires or it will die versus the more features the more likely you will be decloaked. It’s all a balance.

Even with our DBC strategy for untrackable cash, some bad person could demand a receipt or similar and show you used a token to buy and then again you are in trouble.

A big and huge discussion for sure. DOS is a massive discussion and then this amplifies that discussion even more. Again though we need to think, what does Safe offer, is it technically the best it can be and I think we are close there. However, at the point of human handoff can humans expose other humans, I feel the answer may always be yes.

DOS and this are threads in their own right.


Relax, my comment wasn’t directed at yours. Tor is just a typical anonymity network that other networks have relied on.

Thanks for this overview. My previous comment was focused on item 4. Imo, the answer is yes, you can hide elder ips if you want to, but there may be a big performance hit. There are some tricks related to ip multicast that could potentially minimize the performance impact. Regardless, I don’t think this should detract from all the great work that is happening. After a stable testnet is here, there might be some additions to quic or a sublayer that could be added to stop nosey nasty neighbors.


Yes, but the big difference, and the beautiful problem that Bitcoin solved, is that there is no leader there, so disrupting some nodes doesn’t stall the network.

Yes, this would stop new nodes from joining. There is a work around however (getting a file that lists peers from a trusted source).


At first, there is no leader in Bitcoin network, but after ASIC mining machine born, only a few mining pool nodes generate blocks.
Then, are the mining pool nodes leaders or not? hum… It looks kings of the round table for me.


The hopping between sections was able to provide reasonable anonymity for nodes.

But as you say it would never be complete anonymity 100% of the time. Even the relay node is going to be visible to clients in the old system.

My opinion is that some obscuring would provide almost all the benefits with hopping. It drops the chance of IP being known.

One possibility is if those people concerned could use a quality VPN. The one I used allows full speed where I got 80-100Mbps and my ISP link is up to 100Mbps and massive quota where I exceeded reasonable amounts for a couple of months. (many TBs) and costs a couple of US dollars a month when bought on special.

tl;dr I guess the solution out of band is to use a good VPN which provides (D)DOS protection too. So as long as the node can operate through a typical VPN then that would solve the issue out of band.


I realize there is a question of balancing utility vs. safety. Some humans will always be nasty buggers/neighbors, and individual humans will never be completely safe. I guess my concern is whether it will be technically possible to shut down the network by finding and killing or torturing some people. A powerful organization could destroy almost all radio receivers in at least some countries, but it’s not possible to un-invent radio as a technology, so getting in touch (and organizing resistance) using radio signals and home-made devices will always be possible. I don’t think killing every single person who knows how a radio works is feasible. I wonder if this could be achieved once the Safe network gets big enough.


I think as long as a majority or a large enough number of people are willing to run nodes and there is a significant number of elders etc then it would be too hard to stop regardless and that is usually the point where when “they” fight you they also realize it’s a losing battle for them because decentralization is too robust to kill.

The question is will the network split and grow fast enough, or fly enough under the radar to take hold, will the lack of elder anonymity make some uncomfortable given this is a anonymity network, etc. people may be scared of the authorities kicking in their door regardless but having something to cloak with gives more confidence.

Just don’t want it to be the Achilles heal of the network.

It would work without and maybe there is a level of accountability that can be brought to Elders by having that transparency? Just thinking of possible benefits to the same topic.


I know I refer to Tezos quite often but it’s usually for good reason, in this case I’m just exploring an idea for how they apparently lower the chance of DDOS for a baker. Have many public nodes and hide the private node that bakes amongst them.

Given the SN design I’m not exactly sure how a solution such as this could work, I also get that proxy nodes helped solve this but slowed traffic substantially.

“But closing unused ports won’t safeguard a baker from a DDOS, will it? The standard way of doing that is to hide a baker (in private node config) behind a number of public nodes. Doing so means a baker can’t be directly targeted and public nodes can be swapped out if there is an active DDOS”

“Private Mode restricts connections to a list of nodes you configure at startup. The private node won’t communicate with any other nodes besides those which you’ve defined. Furthermore, it ensures those nodes don’t tell others the private node exists.

So which nodes can your private node trust? Small bakers who elect to use this protection can select nodes they feel are run by trustworthy parties and will always be available. Larger baking operations would be better served running these nodes themselves. Only then can you best ensure that your private node will always have multiple pathways (nodes) for broadcasting your baker’s activity to the network while still remaining hidden.”

private mode

Being an elder is obvious from a network operations standpoint so how on earth could you mask that? It’s an interesting question.

1 Like

sorry it’s a bad link…

Even if you sign in?

1 Like

Errr errr errr
I have developed an aversion to signing into things.

So maybe its not a bad link after all…



Somehow missed this reply. Great input and reassuring.


The industrialization of mining has been disappointing. These industrial grade pools are better equipped to deal with DDoS than a random SAFE node running in a home.

1 Like

Beautifully explanation! So insightful to see how the Safe Network fits within all these big names and technologies.


Non-professional opinion :

It is an interesting question. You can do it though if you want to. There are some technical and social challenges, but it’s not impossible. The really interesting part is that as the network becomes more popular and ubiquitous the performance impact might go away naturally. At the same time, you don’t really need to go through the trouble of hiding ips after popularity rises above critical mass except for unique situations (ex. folks living in china). Protection from nasty neighbors is most important when the network is small and young. This is true for elders/adult/child nodes and clients.


In this discussion I believe it’s important to make an explicit distinction between protecting people running nodes of any age and protecting the network. I’m afraid the former will never be possible, but the latter should be. China or the US makes no difference.


What is the network without people? The coupling is a cybernetic symbiosis. It’s all or nothing.

1 Like

I think the point is you can protect the network but not all the people (eg those in China).