net: Feeler connections to increase online addrs in the tried table.

[EthanHeilman]

These changes implement countermeasures 3 (feeler connections) suggested in our paper: "Eclipse Attacks on Bitcoin’s Peer-to-Peer Network".

Design:

We observe that a node's resistance to eclipse attacks grows as the number of online addresses in the tried table grows. To increase the number of online addresses in the tried table the following logic is implemented in net.cpp's ThreadOpenConnections:

1. Every 2 minutes a short lived feeler connection is made to a randomly selected address in new.
2. If the tested address is online and running bitcoind, this address is moved to the tried table.
3. The feeler connection to the tested address is closed.

Only one feeler connection is attempted at any one time and feeler connections are only attempted after all outgoing connections slots of filled.

Advantages:

• In our paper we sample several peer lists. We found that a large percentage of addresses in tried tables are stale IP addresses (the lowest was 72 percent stale, the highest was 95 percent stale). This large number of stale IP addresses increases the risk of eclipse attacks. This change remedies this by ensuring that the tried table grows quickly and contains many recently online addresses.
• Not only do feeler connections provide a direct benefit to the node doing the testing but the tested node, if online, learns about our node and adds it to its tried table (conferring herd immunity even under partial deployment).
• Countermeasure 3 (test-before-evict) builds on the feeler connections introduced in this change. This is the first step to deploying countermeasure 3.

Risk mitigation:

• To limit the network impact of the feeler connections we only make one new connection every 2 minutes. Compared with other networking tasks that bitcoind performs the bandwidth increase is very slight.
• To avoid issues of synchronization we introduce a random sleep of between 0 and 1000 milliseconds prior to making a feeler connection.
• To avoid threading issues the feeler connections are made in the same thread as non-feeler connections.

Test plan:

1. I'm currently running two EC2 nodes with public IP addresses. One is running this pull request and the other is running standard bitcoind. Both are running with arg -debug=1. At the end of the week I will post results from the logs looking at differences in the size of the tried table and examining the logs for any errors. I will also use the peer.dat files generated from this test to evaluate each nodes resistance to eclipse attacks.
2. I will also use packet captures to ensure behavior and bandwidth behaves as expected.
3. I invite anyone would like to help to run standard and feeler connection nodes and email me (Ethan.R.Heilman@gmail.com) the pcaps, logs and peers.dat files. I will post the results of this analysis here.

This change was suggested as Countermeasure 4 in
Eclipse Attacks on Bitcoin’s Peer-to-Peer Network,
Ethan Heilman, Alison Kendler, Aviv Zohar, Sharon Goldberg.
ePrint Archive Report 2015/263. March 2015.

[EthanHeilman]

This pull request implements the feeler functionality in #6355.

[paveljanik]

tests need some love...

[EthanHeilman]

@paveljanik I am currently working on fixes these days, however I am running into issues with the rpc-tests. When I run rpc-tests locally both with this pull request and against bitcoin/master I get intermittent failures.

I run against bitcoin/master

python3 qa/pull-tester/rpc-tests.py

tests fail

TEST                           | PASSED | DURATION
bip68-112-113-p2p.py           | True   | 52 s
listtransactions.py            | True   | 177 s
wallet.py                      | True   | 287 s
mempool_resurrect_test.py      | True   | 20 s
receivedby.py                  | True   | 93 s
txn_doublespend.py --mineblock | True   | 50 s
txn_clone.py                   | True   | 40 s
getchaintips.py                | True   | 43 s
p2p-fullblocktest.py           | False  | 447 s
rawtransactions.py             | True   | 83 s
mempool_spendcoinbase.py       | True   | 10 s
mempool_reorg.py               | True   | 22 s
rest.py                        | True   | 71 s
multi_rpc.py                   | True   | 5 s
httpbasics.py                  | True   | 11 s
mempool_limit.py               | True   | 24 s
proxy_test.py                  | True   | 15 s
merkle_blocks.py               | True   | 41 s
signrawtransactions.py         | True   | 5 s
zapwallettxes.py               | True   | 49 s
nodehandling.py                | True   | 24 s
decodescript.py                | True   | 5 s
reindex.py                     | True   | 31 s
blockchain.py                  | True   | 6 s
disablewallet.py               | True   | 5 s
keypool.py                     | True   | 18 s
prioritise_transaction.py      | True   | 25 s
invalidblockrequest.py         | True   | 11 s
sendheaders.py                 | True   | 60 s
invalidtxrequest.py            | True   | 12 s
walletbackup.py                | True   | 647 s
p2p-versionbits-warning.py     | True   | 24 s
abandonconflict.py             | True   | 39 s
fundrawtransaction.py          | False  | 201 s
importprunedfunds.py           | True   | 37 s
signmessages.py                | True   | 6 s
segwit.py                      | True   | 51 s
zmq_test.py                    | True   | 17 s
p2p-segwit.py                  | True   | 88 s
ALL                            | False  | 2852 s (accumulated)

I rerun it and sometimes different tests fail

TEST                           | PASSED | DURATION

p2p-fullblocktest.py           | False  | 33 s
bip68-112-113-p2p.py           | True   | 52 s
listtransactions.py            | True   | 64 s
receivedby.py                  | True   | 46 s
walletbackup.py                | False  | 107 s
mempool_resurrect_test.py      | True   | 21 s
txn_clone.py                   | True   | 58 s
txn_doublespend.py --mineblock | True   | 67 s
getchaintips.py                | True   | 71 s
wallet.py                      | True   | 193 s
mempool_spendcoinbase.py       | True   | 8 s
mempool_reorg.py               | True   | 18 s
mempool_limit.py               | True   | 20 s
httpbasics.py                  | True   | 12 s
rest.py                        | True   | 57 s
multi_rpc.py                   | True   | 6 s
rawtransactions.py             | True   | 67 s
proxy_test.py                  | True   | 16 s
signrawtransactions.py         | True   | 7 s
merkle_blocks.py               | True   | 32 s
zapwallettxes.py               | True   | 46 s
nodehandling.py                | True   | 23 s
decodescript.py                | True   | 7 s
blockchain.py                  | True   | 7 s
disablewallet.py               | True   | 4 s
reindex.py                     | True   | 25 s
keypool.py                     | True   | 18 s
prioritise_transaction.py      | True   | 28 s
invalidblockrequest.py         | True   | 13 s
invalidtxrequest.py            | True   | 10 s
sendheaders.py                 | True   | 62 s
p2p-versionbits-warning.py     | True   | 26 s
abandonconflict.py             | True   | 38 s
importprunedfunds.py           | True   | 27 s
signmessages.py                | True   | 5 s
segwit.py                      | True   | 43 s
zmq_test.py                    | True   | 24 s
fundrawtransaction.py          | True   | 184 s
p2p-segwit.py                  | True   | 90 s

ALL                            | False  | 1635 s (accumulated)

Also sometimes it just crashes.

...........................................Traceback (most recent call last):
  File "qa/pull-tester/rpc-tests.py", line 340, in <module>
    runtests()
  File "qa/pull-tester/rpc-tests.py", line 209, in runtests
    (name, stdout, stderr, passed, duration) = job_queue.get_next()
  File "qa/pull-tester/rpc-tests.py", line 264, in get_next
    (stdout, stderr) = proc.communicate(timeout=3)
  File "/usr/lib/python3.4/subprocess.py", line 960, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib/python3.4/subprocess.py", line 1618, in _communicate
    self._check_timeout(endtime, orig_timeout)
  File "/usr/lib/python3.4/subprocess.py", line 986, in _check_timeout
    raise TimeoutExpired(self.args, orig_timeout)
subprocess.TimeoutExpired: Command '['/home/e0/work/bitcoin-standard/qa/rpc-tests/walletbackup.py', '--srcdir=/home/e0/work/bitcoin-standard/src', '--portseed=37']' timed out after 3 seconds

[maflcko]

If you get a timeout, you may try to run the test directly qa/rpc-tests/test.py and see if it still fails. Also, you may want to check if there are any zombie bitcoin processes which you want to kill. And finally, the test_framework will no longer clean up after a failure, so you need to clean your temp dir manually in case it has limited space available.

Usually none of this should be a problem on travis, as a fresh vm is used every time, so you may want to look into the failure on travis.

[maflcko]

You should assert that nodes in the existing tests are not marked a feel connection and thus get disconnected.

[sdaftuar]

From my first glance at a failing travis test, it seems that perhaps pnode->fFeeler can be set to true on an incoming connection, causing an immediate disconnect? That would result in intermittent test failures for sure.

[EthanHeilman]

@sdaftuar @MarcoFalke I'm working on a simple unittest to make sure that fFeelers is false by default and never happens when fIncoming = true. Should be pushed by EOD.

[EthanHeilman]

I added a simple test and an assert to ensure that that fFeelers are set false by default and don't get assigned to incoming connection.

[EthanHeilman]

Summary: To test feeler connections I ran two nodes on EC2 for ~one month. One node ran this pull request, the second node ran default Bitcoin. According to this test feeler connections (this pull request) increase the size of the tried table by about an order of magnitude and consequently increase the eclipse resistance of a node by an order of magnitude. I also measured the impact of a future pull request test-before-evict where IPs are not evicted from the tried table if they are online.

Tried Table

One node ran this pull request for 32 days (July 1st to August 1st), the second node ran default Bitcoin for 35 Days (June 28 to August 1st).

On August 1st I disconnected the nodes and graphed the results. I tested which nodes in the tried table were online on August 1st.

• The Feeler connections node had 1309 IPs in the tried table of which 38.8% or 590 IPs were online.
• The default Bitcoin node had 195 IPs in the tried table of which 28.2% or 55 IPs were online.

Security Benefit

To determine the security benefit of these larger numbers of IPs in the tried table I modeled the attack presented in Eclipse Attacks on Bitcoin’s Peer-to-Peer Network. Full details on how this was carried out are given at bottom of this comment.

Default node: 595 attacker IPs for ~50% attack success.
Default node + test-before-evict: 620 attacker IPs for ~50% attack success.
Feeler node: 5540 attacker IPs for ~50% attack success.
Feeler node + test-before-evict: 8600 attacker IPs for ~50% attack success.

The node running feeler connections has 10 times as many online IP addresses in its tried table making an attack 10 times harder (i.e. requiring the an attacker require 10 times as many IP addresses in different /16s). Adding test-before-evict increases resistance of the node by an additional 3000 attacker IP addresses.

Below I graph the attack over even greater attacker resources (i.e. more attacker controled IP addresses). Note that test-before-evict maintains some security far longer even against an attacker with 50,000 IPs. If this node had a larger tried table test-before-evict could greatly boost a nodes resistance to eclipse attacks.

Modeling an Eclipse Attack

Using the peers.dat file from the default node and the feeler connections node I reconstructed their tried tables (I ignore the new table in our attacks as it is trivial to fill it with trash IP addresses). The attack test was run as follows:

1. Attempt to insert X attacker IP addresses each from distinct \16s into a model of a node's tried table.
2. Select nodes from each nodes tried table based on the logic in net.cpp (each outgoing connection must be from a different \16, only connect to online nodes).
3. If the attacker's IPs are selected for all 8 outgoing connections the attacker wins as the attacker has partitioned the node from the rest of the network otherwise the attacker loses. For realism I only allowed the node to connect to other nodes which were online.

For each value X of number of attacker IPs I ran the attack 1000 times. For each of these 1000 runs I calculated the attack success probability by performing the selection of 8 outgoing connections 10 times. I used the peers.dat file from the feelers connection node and the default node to build the model of the tried table for the attack. I simulated the impact of enabling test-before-evict would have if turned on just prior to the attack (this should not be different than if the node has been running test-before-evict all along) by preventing the attacker from evicting an IP in the tried table if that node was online.

[sipa]

No need to call GetTime() again.

[sipa]

Thanks a lot for the thorough analysis! Concept ACK with a few nits. I'm surprised by how little code was needed.

[paveljanik]

How will feeler endpoints view us when we disconnect just after their version message?

[sipa]

@paveljanik Similar to oneshot connections that are used for DNS seeding over tor.

[paveljanik]

space after , please.

[paveljanik]

Concept ACK. Nice work and interesting reading!

[paveljanik]

New compile warning here:

+test/net_tests.cpp:154:31: warning: variable 'hSocket' is uninitialized when used here [-Wuninitialized]
+    CNode* pnode1 = new CNode(hSocket, addr, pszDest, fInboundIn);
+                              ^~~~~~~
+test/net_tests.cpp:148:19: note: initialize the variable 'hSocket' to silence this warning
+    SOCKET hSocket;
+                  ^
+                   = 0

[EthanHeilman]

This compile warning has been fixed.

[rebroad]

This constant seems not to be used other than to effectively increase MAX_OUTBOUND_CONNECTIONS.

[maflcko]

It is used indirectly in https://github.com/bitcoin/bitcoin/pull/8282/files/4b4517ce0340c813553f17d1e7710129542d58bd#diff-9a82240fe7dfe86564178691cc57f2f1R1672

[rebroad]

I'm perhaps reading the code incorrectly, but it seems that it will only ever make one feeler connection at a time, regardless of the value of this constant. I.e., increasing this value does not cause it to make concurrent feeler connections.

[EthanHeilman]

I reread the pull request and my understanding is still that MAX_FEELER_CONNECTIONS > 1 allows concurrent feeler connections. I have run tests in response to your comment which appear to show multiple concurrent feeler connections.

Would you be willing to write out your thought process which led you to the conclusion above in case there is something I am missing?

[rebroad]

One potential niggle with feeler connections is that they cause the node_id to go up rather quickly. I think for feeler connections it might be worthwhile not incrementing the node_id since the connection is so short-lived. Perhaps the feeler connections can have a node_id of zero, or something like this?

[rebroad]

Why is this in net.h rather than in net.cpp? net.cpp would cause less impact on compile times.

[EthanHeilman]

I put FEELER_INTERVAL in net.h since that is where all the other net.* timing intervals static const variables are and because putting static const variables in *.h appears to be the convention in the Bitcoind networking code.

[rebroad]

@sipa @laanwj Given this current apparent convention causes a waste of CPU compiling code that doesn't need compiling, can we move some of the net.h code to net.cpp (or other applicable) places in a future pull request?

[EthanHeilman]

Bitcoin's code review process has consistently been the most thoughtful and thorough code review process I've encountered. I want to thank all the reviewers for spending their time to read my code and help improve Bitcoin. My pull requests are better for it.

I realize reviewers might want to take more time to read it over carefully, but in terms of allocating my time for this week is there any particular issue that I should resolve in the next few days?