Security: Stop disconnecting from nodes that send unexpected messages, to prevent disconnection attacks, Credit: Equilibrium #2107
Labels
A-network
Area: Network protocol updates or fixes
A-rust
Area: Updates to Rust code
C-security
Category: Security issues
I-hang
A Zebra component stops responding to requests
I-invalid-data
Zebra relies on invalid or untrusted data, or sends invalid data
I-slow
Problems with performance or responsiveness
S-needs-investigation
Status: Needs further investigation
Projects
Milestone
Motivation
When Zebra receives an unexpected network message from a peer, it disconnects from that peer. This resets a remote
zcashd
node's internal connection state for Zebra. So Zebra gets the messages it expects once it reconnects.There are a few issues with this approach:
This is a denial of service risk, because Zcash network protocol messages are unauthenticated.
Disconnecting due to protocol differences could be stopping Zebra from being listed by block explorers and DNS seeders.
Priority
This is a medium-priority issue, because:
Solution
Unrecognised Messages
NODE_BLOOM
messages.Protocol Differences
When Zebra can parse a message that a peer has sent, but doesn't expect that message:
Be strict with the handshake
Be permissive after a successful handshake
Alternatives
Work out how to restore unusable peers without disconnecting:
Context
We might want to follow what
zcashd
does here pretty closely.As
zcashd
's network behaviour becomes better specified, Zebra will have fewer unexpected network messages.The text was updated successfully, but these errors were encountered: