Large amounts of traffic are being sent to offline nodes #12409
Comments
|
Did a little experiment and shut down our TdS node (which has average stake, like everyone else). Traffic spiked to >300 Mbps of sustained UDP traffic to 8000/udp, which is our gossip port:
300 Mbps is enough to kill many residential broadband connections, and there were no signs of it stopping until I turned the node back on after 20 minutes. It's easy to mistake such a spike of UDP traffic, especially to a common port like 8000/udp, for a DDoS attack. What's worse is that egress traffic from the node stops at the same time, so it looks like a successful attack at that :-) In fact, there was recent case of a validator's Hetzner server getting locked for a suspected DDoS attack on another validator. |
|
I confirm that our server received a block from the hardware provider Hetzner, said that they blocked outgoing traffic and will not unblock it until we fix this situation. There was a clear suspicion of a DDoS attack. No explanation that this is legitimate traffic, the reason they are not interested, the only fix. From this we can say that this is the narrowest point of the network, attackers are not asleep, and if this happens again, it will cause a big problem for the network and validators. |
|
Hello! We know, when solana node is down, incoming udp traffic doesn't stop, but become even more. I think it's a critical to implement some mechanism to set node state to offline to stop unnecessary traffic after node's shut down, overwise it could lead to disaster. You can even try to snipe a top-stake validators a with manual complaints (IP of all nodes are openly visible). |
|
A call to/for the network domain security specialists ...how might one go about solving for such an issue that could potentially become a network halter ?! Are there any temporary workarounds we can put in place ...while the long-term solution is being worked out ?! |
|
Workaround: When your staked node is shut down, run this command for ~1 minute to ensure the cluster receives an update to your IP address marking it as invalid. |
|
We're still seeing plenty of excess traffic even after waiting 20 minutes:
Much less but I think the only acceptable amount of traffic for an offline node is close to zero. (traffic from validators < 1.3.15 has been filtered from the graph) |
solana-labs#12620 patched the DDOS issue with nodes which go offline: solana-labs#12409 However, offline nodes still see some traffic spike which is likely because no origins are pruned from their bloom filter in active set, and so multiple nodes push redundant duplicate messages to them simultaneously. https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically.
solana-labs#12620 patched the DDOS issue with nodes which go offline: solana-labs#12409 However, offline nodes still see some traffic spike which is likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically.
solana-labs#12620 patched the DDOS issue with nodes which go offline: solana-labs#12409 However, offline nodes still see (much lesser) traffic spike, likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically.
solana-labs#12620 patched the DDOS issue with nodes which go offline: solana-labs#12409 However, offline nodes still see (much lesser) traffic spike, likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically.
solana-labs#12620 patched the DDOS issue with nodes which go offline: solana-labs#12409 However, offline nodes still see (much lesser) traffic spike, likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically.
solana-labs#12620 patched the DDOS issue with nodes which go offline: solana-labs#12409 However, offline nodes still see (much lesser) traffic spike, likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically.
* filters out inactive nodes from push options #12620 patched the DDOS issue with nodes which go offline: #12409 However, offline nodes still see (much lesser) traffic spike, likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically. * uses current timestamp in test/crds_gossip
* filters out inactive nodes from push options #12620 patched the DDOS issue with nodes which go offline: #12409 However, offline nodes still see (much lesser) traffic spike, likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically. * uses current timestamp in test/crds_gossip (cherry picked from commit a5c6a78)
* filters out inactive nodes from push options #12620 patched the DDOS issue with nodes which go offline: #12409 However, offline nodes still see (much lesser) traffic spike, likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically. * uses current timestamp in test/crds_gossip (cherry picked from commit a5c6a78)
* filters out inactive nodes from push options #12620 patched the DDOS issue with nodes which go offline: #12409 However, offline nodes still see (much lesser) traffic spike, likely because no origins are pruned from their bloom filter in active set: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L276-L286 and so multiple nodes push redundant duplicate messages to them simultaneously: https://github.com/solana-labs/solana/blob/aaf3790d8/core/src/crds_gossip_push.rs#L254-L255 This commit will filter out inactive peers from potential push targets entirely. To mitigate eclipse attacks, staked nodes are retried periodically. * uses current timestamp in test/crds_gossip (cherry picked from commit a5c6a78) Co-authored-by: behzad nouri <behzadnouri@gmail.com>
|
Is it possible to check if this is still an issue even after #12674? |
Inactive nodes are still observing incoming gossip traffic: https://discord.com/channels/428295358100013066/670512312339398668/776140351291260968 likely because of pull-requests. Previous related issues and commits: solana-labs#12409 solana-labs#12620 solana-labs#12674 This commit implements same logic as solana-labs#12674 to exclude inactive nodes from pull options, with the same periodic retry logic for offline staked nodes in order to mitigate eclipse attack.
Inactive nodes are still observing incoming gossip traffic: https://discord.com/channels/428295358100013066/670512312339398668/776140351291260968 likely because of pull-requests. Previous related issues and commits: solana-labs#12409 solana-labs#12620 solana-labs#12674 This commit implements same logic as solana-labs#12674 to exclude inactive nodes from pull options, with the same periodic retry logic for offline staked nodes in order to mitigate eclipse attack.
Inactive nodes are still observing incoming gossip traffic: https://discord.com/channels/428295358100013066/670512312339398668/776140351291260968 likely because of pull-requests. Previous related issues and commits: #12409 #12620 #12674 This commit implements same logic as #12674 to exclude inactive nodes from pull options, with the same periodic retry logic for offline staked nodes in order to mitigate eclipse attack.
Inactive nodes are still observing incoming gossip traffic: https://discord.com/channels/428295358100013066/670512312339398668/776140351291260968 likely because of pull-requests. Previous related issues and commits: #12409 #12620 #12674 This commit implements same logic as #12674 to exclude inactive nodes from pull options, with the same periodic retry logic for offline staked nodes in order to mitigate eclipse attack. (cherry picked from commit 4e4e12b)
Inactive nodes are still observing incoming gossip traffic: https://discord.com/channels/428295358100013066/670512312339398668/776140351291260968 likely because of pull-requests. Previous related issues and commits: #12409 #12620 #12674 This commit implements same logic as #12674 to exclude inactive nodes from pull options, with the same periodic retry logic for offline staked nodes in order to mitigate eclipse attack. (cherry picked from commit 4e4e12b)
Inactive nodes are still observing incoming gossip traffic: https://discord.com/channels/428295358100013066/670512312339398668/776140351291260968 likely because of pull-requests. Previous related issues and commits: #12409 #12620 #12674 This commit implements same logic as #12674 to exclude inactive nodes from pull options, with the same periodic retry logic for offline staked nodes in order to mitigate eclipse attack. (cherry picked from commit 4e4e12b) Co-authored-by: behzad nouri <behzadnouri@gmail.com>
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
stale
bot
added
the
stale
|
This stale issue has been automatically closed. Thank you for your contributions. |
behzadnouri
removed
the
stale
|
This issue has been automatically locked since there has not been any activity in past 7 days after it was closed. Please open a new issue for related bugs. |
Problem
After shutting down a node, the remainder of the cluster keeps sending traffic. This has been the source of frequent complaints by users who ran Solana on a home connection, shut it down, and then continued to get DDoSed by the cluster.
Proposed Solution
Stop sending traffic to nodes that aren't up-to-date in gossip.
This will only help with nodes that are fully offline. Congestion control is needed as well: #12410
A malicious attacker could still create fake entries since the gossip IP isn't authenticated via a three-way handshake that proves that there's a valid return path, see #9491.
The text was updated successfully, but these errors were encountered: