aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWladimir J. van der Laan <laanwj@gmail.com>2016-05-04 15:51:38 +0200
committerWladimir J. van der Laan <laanwj@gmail.com>2016-05-04 15:52:13 +0200
commit8206835cc173e4145634ed660fe2e0e44bd05bc9 (patch)
tree607a9d0d950e3452f75336b4006fbb8d0ca99298
parentfc23fee690477828e84a7886dbf208e9a96e82e2 (diff)
parentd90351f0504c5d4057e560d64107a2f36d7bf3d4 (diff)
Merge #7974: More comments on the design of AttemptToEvictConnection.
d90351f More comments on the design of AttemptToEvictConnection. (Gregory Maxwell)
-rw-r--r--src/net.cpp13
1 files changed, 11 insertions, 2 deletions
diff --git a/src/net.cpp b/src/net.cpp
index f566af24c4..1afe087be4 100644
--- a/src/net.cpp
+++ b/src/net.cpp
@@ -877,6 +877,14 @@ public:
}
};
+/** Try to find a connection to evict when the node is full.
+ * Extreme care must be taken to avoid opening the node to attacker
+ * triggered network partitioning.
+ * The strategy used here is to protect a small number of peers
+ * for each of several distinct characteristics which are difficult
+ * to forge. In order to partition a node the attacker must be
+ * simultaneously better at all of them than honest peers.
+ */
static bool AttemptToEvictConnection(bool fPreferNewConnection) {
std::vector<CNodeRef> vEvictionCandidates;
{
@@ -905,7 +913,7 @@ static bool AttemptToEvictConnection(bool fPreferNewConnection) {
if (vEvictionCandidates.empty()) return false;
- // Protect the 8 nodes with the best ping times.
+ // Protect the 8 nodes with the lowest minimum ping time.
// An attacker cannot manipulate this metric without physically moving nodes closer to the target.
std::sort(vEvictionCandidates.begin(), vEvictionCandidates.end(), ReverseCompareNodeMinPingTime);
vEvictionCandidates.erase(vEvictionCandidates.end() - std::min(8, static_cast<int>(vEvictionCandidates.size())), vEvictionCandidates.end());
@@ -913,7 +921,7 @@ static bool AttemptToEvictConnection(bool fPreferNewConnection) {
if (vEvictionCandidates.empty()) return false;
// Protect the half of the remaining nodes which have been connected the longest.
- // This replicates the existing implicit behavior.
+ // This replicates the non-eviction implicit behavior, and precludes attacks that start later.
std::sort(vEvictionCandidates.begin(), vEvictionCandidates.end(), ReverseCompareNodeTimeConnected);
vEvictionCandidates.erase(vEvictionCandidates.end() - static_cast<int>(vEvictionCandidates.size() / 2), vEvictionCandidates.end());
@@ -941,6 +949,7 @@ static bool AttemptToEvictConnection(bool fPreferNewConnection) {
vEvictionCandidates = mapAddrCounts[naMostConnections];
// Do not disconnect peers if there is only one unprotected connection from their network group.
+ // This step excessively favors netgroup diversity, and should be removed once more protective criteria are established.
if (vEvictionCandidates.size() <= 1)
// unless we prefer the new connection (for whitelisted peers)
if (!fPreferNewConnection)