IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2024/04/20
~dr|z3d
@RN_
@StormyCloud
@T3s|4
@eyedeekay
@orignal
@postman
@zzz
%Liorar
+FreefallHeavens
+Xeha
+acetone
+bak83
+cancername
+cumlord
+hk
+profetikla
+uop23ip
+weko
An0nm0n
Arch
Danny
DeltaOreo
Irc2PGuest21357
Irc2PGuest21881
Irc2PGuest43426
Leopold
Meow
Nausicaa
Onn4l7h
Onn4|7h
Over1
RN
T3s|4_
anon2
anu3
boonst
mareki2pb
not_bob_afk
poriori_
shiver_
simprelay
solidx66
thetia
tr
u5657
dr|z3d ok, percentage bar for folders now displays in snark, next is the folder contents size.
mesh i2p+ should include irc.echelon.i2p in the default irc channel
mesh tunne
mesh since irc.postman.i2p so often goes down
mesh which raises the other issue: why is irc.postman.i2p always down? Is it the Chinese? Or is it the WEF?
snex its never down. we just ban you sometimes
mesh that's obviously not true. does this mean that postman has been replaced with a lizard?
dr|z3d no, but you should check your avatar on zzzmirror.i2p
orignal because more peopel use postman
orignal any updates about Chinesse routers?
dr|z3d they gone, apparently.
dr|z3d <zzz> and *poof* the china botnet shut down about 6 hours ago
dr|z3d maybe someone secretly zapped them all with an i2pd exploit.
RN wasn't me
orignal ofc since I have shown that commit
orignal what needs to be done
orignal submit a tag wait until tagset expires then send garlic with this tag
orignal pretty easy
dr|z3d maybe they got bored, maybe they got nuked.
mesh am I really the only one having trouble with the tunnelmanager?
mesh I've been trying to make changes to a tunnel for literally 20 minutes
mesh every single submission results in this error: • Invalid form submission, probably because you used the 'back' or 'reload' button on your browser. Please resubmit. If the problem persists, verify that you have cookies enabled in your browser.
mesh that error also disappears
mesh so like if you don't see it, and then look for it later, it's not there
dr|z3d make sure cookies are enabled, and also make sure that any browser-side privacy protections are off for the console.
mesh dr|z3d: what privacy protections would need to be off? I'm running pretty stock stuff. And why does the tunnel manager require greater access?
mesh anyways I just wonder if other people see this: multiple attempts to edit an existing tunnel fail consistently
dr|z3d it shouldn't do, but who knows what the browser thinks it needs to prevent happening. click your shield in the address bar, see if turning stuff off helps.
dr|z3d I have zero issues with editing tunnels, either locally or over ssh.
dr|z3d if you're accessing more than one console in the same browser session, that can also cause issues in some browsers.
dr|z3d or, similarly, if you're accessing the console from multiple browsers, problems can arise.
dr|z3d my guess is that you've got multiple browsers open.
mesh dr|z3d: no, there seems to be some sort of erroneous state
mesh no matter how many times I hard reload I get 'Confirm Form Resubmission' errors
dr|z3d if you're trying to hard refresh a form submission, all you're doing is reinvoking the same error by submitting the stale nonce.
dr|z3d aka don't do that. load the page without the submission, hard refresh, then edit the tunnel.
dr|z3d the erroneous state in this instance is you.
mesh how can hard refreshing a url like localhost:7667/i2ptunnel/list cause a form submission?
mesh hard refresh or normal refresh leads to 'Confirm Form Submission'
mesh no matter what I do simply viewing the tunnel list leads to an error, and I can't edit any of the tunnels
mesh somehow the tunnel manager things all attempts to even view the tunnels is an edit operation leading to 'Confirm Form Submission' followed by the disappearing 'Invalid form submission error'
dr|z3d hit the tunnel manager button in the sidebar, don't use fwd or back buttons when attempting to edit tunnels. all else fails, use the open in new tab icon at the top right of the console main heading, see if that helps.
dr|z3d the issue is local, in any event.
dr|z3d local to you, that is.
dr|z3d as for the disappearing error, it's transient, no sense in polluting the message logs with it.
dr|z3d maybe it would be better if it was a toast-style notification, but that's a different discussion.
mesh dr|z3d: it just leads to the situation that stuff fails and the user doesn't even notice and has no idea why
mesh not sure how the tunnelmgr works but it seems like it can end up in a very bad state
mesh literally the only thing that seems to work for me right now is incognito mode in a new browser window
dr|z3d there's no bad state other than a stale nonce.
mesh dr|z3d: the problem I'm seeing is that even when I'm not editing a form, when I'm reloading the /list url, the app thinks I'm editing a form
mesh though I'm still seeing 'ERR_CACHE_MISS' even in incognito mode it seems to fail hard
mesh it's all very strange, no idea what's going on. this is like the encryption keys error I was getting last time, hehe, it's just me but stuff is unusable
dr|z3d you can also try deleting your console session cookies. ctrl+shift+i -> storage..
dr|z3d and like I said before, don't attempt to access the console in more than one tab.
dr|z3d if you're accessing it from more than one place, issues.
dr|z3d it *might* be ok in the same browser session, but definitely won't be if one of the tabs is incognito and the other isn't, but it depends on how your browser implements tab isolation.
orignal zzz, new attack of clones
orignal Vort has collected the list
orignal can you take a look?
orignal and this is about the proposal weko has written a while ago
weko Finally someone will do something
weko I hope
orignal at least zzz wanted an evidence
orignal here the evidence
dr|z3d seeing elevated traffic flows just now, maybe that's another indication.
dr|z3d not globally, but still.
orignal we are talking about the particular problem
orignal zzz doesn't want to take it seriously
zzz orignal, weko, if you want to move a proposal forward, work with eyedeekay to schedule a review meeting, don't just "hope"
zzz this is not about me
orignal zzz have you take a looked at this list of RIs?
dr|z3d yeah, I vaguely recall zzz asking for a written proposal to address the issue multiple times, or am I wrong?
orignal it's not about the proposal itself
orignal it's about the problem we have now
orignal yes and weko has written it
orignal but now we have this problem again
orignal e.g. it's not a theretical issue
dr|z3d ah, ok, that one. great. so schedule a meeting, get the proposal taken forwward.
orignal please take a look at the problem now
zzz orignal, while we're talking about proposals, please review my updates to proposal 163 (datagram 2), I'd like to schedule a review for it also
zzz orignal, I've downloaded the zip
dr|z3d when privatebin takes several minutes to load, I give up.
zzz orignal, weko, is this the first time the problem has reappeared in a year?
weko Is it matter? I guess it enough critical for fix without practical appear whatever
dr|z3d I don't think zzz's trying to dodge addressing the issue, weko, he's just asking if for a synopsis.
zzz yes, the history of the problem and its effects are important
dr|z3d first time in the past year [ ] yes [ ] no (tick one box ONLY)
weko orignal know better
zzz if you want a proposal adopted, answer reviewers questions, don't tell them it doesn't matter
weko i2pd have some fix already, and Vort said that we can't know it
zzz then how did you know about this one today?
weko Randomly
weko By accident*
orignal I have read your proposal few days ago
zzz I'm not asking about the attacks you don't know about, I'm asking about the ones that you do
orignal maybe it reappaared before but Vort noticed it today
orignal also we see bunch of malformed DaabaseStore messages this night
zzz orignal, weko, iirc your proposal is about preventing cloned private keys on multiple routers
zzz the RIs in the zip all have unique private keys; therefore the DH will fail
zzz it doesn't matter if the "i" is cloned
orignal <Vort> дубли просто лезли при просмотре списка транспортов (моя "ловушка")
zzz => not a problem
orignal <Vort> так я эту атаку и заметил
orignal <orignal> ээто флудфилы или просто роутеры?
orignal <Vort> PfR
orignal <Vort> коннекты висят в Syn-Sent
orignal zzz it's not about private keys
orignal it's about s
orignal in addrsses
orignal DH will fail for NTCP2
orignal but not for SSU2
orignal because router address is not a part of handshake
zzz orignal, the SSU2 DH will fail
orignal please examplain where
orignal if 'i'' and 's' gets cloned
zzz oh you're right, it's 's'. My bad, I forgot
orignal and that's what the proposal about
zzz right
orignal somehow we need to tell what we are connected to
orignal to Alice
orignal or to Bob who is Alice is trying to connect to
orignal right now I do drity hack in the code
orignal I try to connect to a new floodfill through NTCP2 first
zzz yup
orignal and only if it's successiev I aloow SSU2 connection
orignal of if it was an incming connection
zzz I have 93 of them on one router
orignal but this is just a workaround not ulmimate solution
orignal 93 of what?
zzz the routers on that IP
zzz they'll all get spanked by our sybil analysis pretty quick, let me run it and see
zzz yup
orignal we had this attack year ago
zzz Threat Points: 1158.00
zzz 490.00: Same IP with 98 others
zzz 392.00: Same IPv4 /24 with 98 others
zzz 198.00: Same IPv6 /64 with 99 others
zzz 49.50: Same IPv6 /48 with 99 others
zzz 24.50: Same IPv4 /16 with 98 others
zzz 4.00: First heard about: 9 sec ago
orignal same IP is not an issue
orignal preople like to run multiple routers
orignal check of same 's'
zzz sure but it has to be same ip/port for it to work
zzz our sybil points threshold is 50, so they are 1108 over the limit ))
orignal you meantioned same IP only
orignal not same endpoint
zzz right.
zzz we could enhance things to look at port and s
orignal ofc same enpoint is always suspicious
orignal and same 's' on different addresses is denitly an attack
orignal RI "multihoming" is completely dufferent problem
weko So in proposal I wrote some suggested ways to fix
zzz all java routers will have them banned within 24 hours
zzz by the sybil analyzer
dr|z3d are they all floodfills?
zzz PfR
orignal dr|z3d: PRf
zzz go click run manually on the sybil page
dr|z3d ok, then what zzz said. if they're not floodfills, then they won't get picked up by the sybil detector in java i2p by default.
orignal we will implement sybli analisys somewhen
orignal zzz the problem is
orignal that you also abd real floodfill
orignal for 24 hours
orignal and advsary can make you our of floodfills easuly
orignal you need to have a way to differntial real router and clones
dr|z3d not seeing any super high value sybils, but maybe that's because they're getting banned before the sybil detector sees them.
zzz orignal, weko, I ask again, is this the first time in a year for this attack?
orignal Vort has noticed it today
zzz we're not banning real floodfills
orignal last time it was noticable in May
zzz thanks
orignal how do you differente real and clone?
orignal if all have same IP
zzz we don't
orignal then you will ban all routers with this IP
orignal if I understand you right
zzz yes
orignal then you an advsary can force you to ban all floodfills easily
zzz maybe
orignal just make bunch of clones of every single floodfill
zzz fyi on stats.i2p you can see the attack started about midnight eastern
not_bob I run more than one router behind the same IP often.
orignal yes and Vort saw bunch of gzip eror by this time
orignal not_bob we same 's'? ))
orignal and same port?
not_bob No, no.
dr|z3d give him some credit, orignal :)
orignal whom? Vort?
dr|z3d not_bob..
zzz will put sybil tweaks on my todo list
dr|z3d are sybil tweaks going to be sufficient to ban clones while leaving legit routers intact?
dr|z3d or do we need a global mechanism that presumably weko/orignal's proposal suggests, which performs some validation on routers before we determine they're legit?
zzz it's orthoganal
zzz the router that was cloned, possibly legit, first seen before today, is gDBbuc
dr|z3d ok, I see it in my netdb, banned.
dr|z3d 607 leasesets it's reporting.
zzz sure, if you're sybil has run in the last 13 hours, it's banned
dr|z3d published 237 ago when I looked.
zzz he's cranking out about 100 new routers an hour
dr|z3d oh wow, that bad.
orignal seems new attack
orignal how many floodfills do you see now?
dr|z3d around 1K here.
dr|z3d last time I was paying attention is was around 800.
dr|z3d Clone's is pumping out 100 ff clones/hr according to zzz.
zzz now about 2000/hour new
dr|z3d all on the same ID?
zzz y'all could help with the research, please look in your own netdb
snex i have 1300 floodfills
dr|z3d >>> Hy~F33 8zT0z apzSPY IOlVTK sqcg45 E90d8g
dr|z3d if you run your sybil checker, snex, that number will probably drop.
snex dropped to 864
dr|z3d now, if you do a netdb search, capabilities field -> PfR .. that may show you some of the dodgy routers, or more specifically router ids.
dr|z3d you'll see a ban icon in the header for likely suspects.
snex gives a shitload of results
dr|z3d (to the left of the "F")
snex not seeing any ban icons, but some of the P ones have arrows of various colors
dr|z3d you may only see half a dozen or so.
snex only 1 ban icon
dr|z3d the arrow is tell you the congestion status of the router in question, see /netdb for a guide.
dr|z3d by default the sybil scanner runs every 24 hours, I have it running every hour here and I'm about to push an update to /dev/ that makes every hour the default.
dr|z3d also: 2KbCu5
dr|z3d how are you mitigating the issue? just dropping excess ffs?
orignal after 1500 i2pd stops accepting new floodfills unless it's confirmed
orignal I start consider a new FF as regular router
dr|z3d how are you confirming? doing your dirty hack?
orignal and make it FF only after confirmation it's real one
orignal one of 2:
orignal 1. successfulty outgoing connect through NTCP2
orignal 2. successeful incoming connect from IP listed in RI
orignal 2 can be either NTCP2 or SSU2
dr|z3d sounds handy. what's the cost? not worth doing it for all floodfills and keeping track?
orignal below 1500 you have a risk to become oout of floodfills
dr|z3d could be a new flag, though zzz doesn't like new flags.
orignal especailly if you a new router
orignal 1500 sounds reasonable threshold
dr|z3d C for confirmed or something. we're not using C yet are we. still think V for volatile for routers that are neither R or U is worth considering.
orignal plus ofc shitty router from netdb kept being removed all the time
dr|z3d 1500 is probably a bit high.
orignal what would prevent an advesary to publish this flag?
orignal yes today's threhold should be 1000
orignal 1500 is from year ago
dr|z3d it would be a flag we assign to the router, not something they assign themselves.
orignal however it works well even with 1500
dr|z3d yup, was going to suggest 1000 is probably a good number.
orignal who is "we"? what is the authority?
dr|z3d we being our router, subject to local tests or observations or what have you.
orignal but what cap is it for?
orignal if it's internal only?
orignal it's just your local profile
dr|z3d sure, local profile, which will determine whether it should be used or not, and in what context. eg no C, don't use as ff, and maybe don't route any traffic through it. same for V.
dr|z3d or rather, no C and ff.
zzz everybody please stop blaming me for everything. I don't understand x, I don't like y, I have a policy against z. It's tiresome.
dr|z3d E90 is curious: monero.monerujo.io
dr|z3d 0.9.48
orignal blaming?
orignal but it works good so far
dr|z3d moving on, orignal, zzz said his thing. no point dwelling on it.
orignal the only mistake is 1500 rather than 1000
dr|z3d we weren't talking about that, anyways.
orignal we are talking about current situation
dr|z3d sure, let's focus on that. :)
dr|z3d 1000 is about right, that's what I see on a busy router with all the crud removed.
orignal beside this we handle good
dr|z3d it's a different strategy to sybil detection, possibly better currently, as we're just blocking all the routers with the same hash.
dr|z3d if testing ffs before using them isn't expensive, maybe it should be default behavior for all ffs.
dr|z3d java already grades ffs by reliability, reponse time etc, so adding another test could be useful.
orignal sybil attack is completely different
orignal I think testing them would produce too many connections
dr|z3d sure, but our sybil scanner picks up cloned routers.
dr|z3d you'd stagger the tests.
dr|z3d 1 router every 2s or something.
orignal yes only if you suspect clone
dr|z3d if you can pre-filter routers to test based on some criteria, great.
dr|z3d you're already pre-filtering by ff class, so that helps.
zzz I was holding off so I could see what was going on, but I've seen enough and I clicked the sybil button
zzz new record on points:
zzz Threat Points: 12800.83
zzz 5440.00: Same IP with 1088 others
dr|z3d dang that's insane.
zzz and that should bring the stats dashboard back to normal also
dr|z3d so what's the prognosis? sybil detection tweaks or something else, or both?
zzz that would be a treatment, not a prognosis ))
dr|z3d you got me.
uop23ip Wohoo. Big movements in my top netdb. Seconds ago china no.2, now canada. with half of no1 us. Counted cn in ff list 70/1800.
zzz there's the prop.165 part, the sybil part, maybe a ff selection part, maybe some store throttling, ...
zzz on the whole I think we are holding up pretty well though
snex if you wanted to run an i2p botnet, why not just make it look like regular routers
dr|z3d this is a different attack.
snex why would anyone attack i2p? we dindu nuffin
dr|z3d if you want to takedown valid floodfills, just clone their ids and wait for them to be blacklisted.
dr|z3d or if they're not blacklisted, then you'll be null routing requests all over, degrading the network.
uop23ip "valid floodfills, just clone their ids". That easy?
zzz of course the solution is RandomX PoW for new routers...
orignal looks like it's over for now
dr|z3d oh noes, not PoW.
dr|z3d can't we just do some basic tests as part of profiling?
orignal uop23ip it's not canada
orignal it's clone of Toronto's DO router
orignal they clone addesses not ids
zzz don't trust stats.i2p charts w.r.t. whether the attack is ongoing, as the IP is now banned over there
snex if youre gonna do PoW might as well have reward tokens too
snex not sure what youd spend them on
zzz maybe ordinals would help
orignal also another theory
orignal maybe the target of the attack was that partcular router
uop23ip "PoW for new routers" only for ff? New is the form of restart or new priv key?
zzz I think every new RI is a Rune