P2P Sybil attack

[harmony-ek]

Summary

libp2p peer ID is based only on RSA public key. This allows an attacker to create unlimited number of nodes on a single machine (same IP address) and use these nodes to monopolize the incoming/outgoing connections of victim nodes.

Current Design

Incoming connections are not checked against IP-based duplicity.

Problems

An attacker controlling a host may create a large number of libp2p peer IDs and create connection to a victim host under those peer IDs. This leads to a few problems:

• A victim host may run out of available file descriptors, leading to denial-of-service.
• Since libp2p pubsub uses a fixed number of outbound connections for outbound message propagation (6-8 by default), if the Sybil peers advertise critical topics (such as shard topics) the probability of the victim node choosing one of the sound, non-Sybil nodes for outbound messaging reaches zero.

Proposal

Gate incoming connections by their source IP address, allowing only one or two from each source IP and dropping others.

Note: This may cause it difficult or impossible to run multiple nodes behind a NAT gateway which maps the nodes to the same public IP address. We may need to add support for NAT whitelisting as a configuration policy variable.

[LeoHChen]

This is a valid risk, converting it to a bounty.