#saltr (irc2p) | I2P+ 2.7.0-9+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | natter.i2p | notbob.i2p | ramble.i2p | shreddit.i2p | cake.i2p | /msg an op for voice

dr|z3d ok, percentage bar for folders now displays in snark, next is the folder contents size.

mesh i2p+ should include irc.echelon.i2p in the default irc channel

mesh tunne

mesh since irc.postman.i2p so often goes down

mesh which raises the other issue: why is irc.postman.i2p always down? Is it the Chinese? Or is it the WEF?

snex its never down. we just ban you sometimes

mesh that's obviously not true. does this mean that postman has been replaced with a lizard?

dr|z3d no, but you should check your avatar on zzzmirror.i2p

orignal because more peopel use postman

orignal any updates about Chinesse routers?

dr|z3d they gone, apparently.

orignal how?

dr|z3d <zzz> and *poof* the china botnet shut down about 6 hours ago

orignal lol

dr|z3d maybe someone secretly zapped them all with an i2pd exploit.

RN wasn't me

dr|z3d :)

orignal ofc since I have shown that commit

orignal what needs to be done

orignal submit a tag wait until tagset expires then send garlic with this tag

orignal pretty easy

dr|z3d maybe they got bored, maybe they got nuked.

mesh am I really the only one having trouble with the tunnelmanager?

mesh I've been trying to make changes to a tunnel for literally 20 minutes

mesh every single submission results in this error: • Invalid form submission, probably because you used the 'back' or 'reload' button on your browser. Please resubmit. If the problem persists, verify that you have cookies enabled in your browser.

mesh that error also disappears

mesh so like if you don't see it, and then look for it later, it's not there

dr|z3d make sure cookies are enabled, and also make sure that any browser-side privacy protections are off for the console.

mesh dr|z3d: what privacy protections would need to be off? I'm running pretty stock stuff. And why does the tunnel manager require greater access?

mesh anyways I just wonder if other people see this: multiple attempts to edit an existing tunnel fail consistently

dr|z3d it shouldn't do, but who knows what the browser thinks it needs to prevent happening. click your shield in the address bar, see if turning stuff off helps.

dr|z3d I have zero issues with editing tunnels, either locally or over ssh.

dr|z3d if you're accessing more than one console in the same browser session, that can also cause issues in some browsers.

dr|z3d or, similarly, if you're accessing the console from multiple browsers, problems can arise.

dr|z3d my guess is that you've got multiple browsers open.

mesh dr|z3d: no, there seems to be some sort of erroneous state

mesh no matter how many times I hard reload I get 'Confirm Form Resubmission' errors

dr|z3d if you're trying to hard refresh a form submission, all you're doing is reinvoking the same error by submitting the stale nonce.

dr|z3d aka don't do that. load the page without the submission, hard refresh, then edit the tunnel.

dr|z3d the erroneous state in this instance is you.

mesh how can hard refreshing a url like localhost:7667/i2ptunnel/list cause a form submission?

mesh hard refresh or normal refresh leads to 'Confirm Form Submission'

mesh no matter what I do simply viewing the tunnel list leads to an error, and I can't edit any of the tunnels

mesh somehow the tunnel manager things all attempts to even view the tunnels is an edit operation leading to 'Confirm Form Submission' followed by the disappearing 'Invalid form submission error'

dr|z3d hit the tunnel manager button in the sidebar, don't use fwd or back buttons when attempting to edit tunnels. all else fails, use the open in new tab icon at the top right of the console main heading, see if that helps.

dr|z3d the issue is local, in any event.

dr|z3d local to you, that is.

dr|z3d as for the disappearing error, it's transient, no sense in polluting the message logs with it.

dr|z3d maybe it would be better if it was a toast-style notification, but that's a different discussion.

mesh dr|z3d: it just leads to the situation that stuff fails and the user doesn't even notice and has no idea why

mesh not sure how the tunnelmgr works but it seems like it can end up in a very bad state

mesh literally the only thing that seems to work for me right now is incognito mode in a new browser window

dr|z3d there's no bad state other than a stale nonce.

mesh dr|z3d: the problem I'm seeing is that even when I'm not editing a form, when I'm reloading the /list url, the app thinks I'm editing a form

mesh though I'm still seeing 'ERR_CACHE_MISS' even in incognito mode it seems to fail hard

mesh it's all very strange, no idea what's going on. this is like the encryption keys error I was getting last time, hehe, it's just me but stuff is unusable

dr|z3d you can also try deleting your console session cookies. ctrl+shift+i -> storage..

dr|z3d and like I said before, don't attempt to access the console in more than one tab.

dr|z3d if you're accessing it from more than one place, issues.

dr|z3d it *might* be ok in the same browser session, but definitely won't be if one of the tabs is incognito and the other isn't, but it depends on how your browser implements tab isolation.

orignal zzz, new attack of clones

orignal Vort has collected the list

orignal privatebin.i2p/?c45b491f8628f838#5wAyEYoBQx1z7uUsdEENoGFf5kJ9Uj6JRbfR26pjwrS8

orignal can you take a look?

orignal and this is about the proposal weko has written a while ago

weko Finally someone will do something

weko I hope

orignal at least zzz wanted an evidence

orignal here the evidence

dr|z3d seeing elevated traffic flows just now, maybe that's another indication.

dr|z3d not globally, but still.

orignal we are talking about the particular problem

orignal zzz doesn't want to take it seriously

zzz orignal, weko, if you want to move a proposal forward, work with eyedeekay to schedule a review meeting, don't just "hope"

zzz this is not about me

orignal zzz have you take a looked at this list of RIs?

dr|z3d yeah, I vaguely recall zzz asking for a written proposal to address the issue multiple times, or am I wrong?

orignal it's not about the proposal itself

orignal it's about the problem we have now

orignal yes and weko has written it

orignal but now we have this problem again

orignal e.g. it's not a theretical issue

dr|z3d ah, ok, that one. great. so schedule a meeting, get the proposal taken forwward.

orignal please take a look at the problem now

zzz orignal, while we're talking about proposals, please review my updates to proposal 163 (datagram 2), I'd like to schedule a review for it also

zzz orignal, I've downloaded the zip

dr|z3d when privatebin takes several minutes to load, I give up.

zzz orignal, weko, is this the first time the problem has reappeared in a year?

weko Is it matter? I guess it enough critical for fix without practical appear whatever

dr|z3d I don't think zzz's trying to dodge addressing the issue, weko, he's just asking if for a synopsis.

zzz yes, the history of the problem and its effects are important

dr|z3d first time in the past year [ ] yes [ ] no (tick one box ONLY)

weko orignal know better

zzz if you want a proposal adopted, answer reviewers questions, don't tell them it doesn't matter

weko i2pd have some fix already, and Vort said that we can't know it

zzz then how did you know about this one today?

weko Randomly

weko By accident*

orignal I have read your proposal few days ago

zzz I'm not asking about the attacks you don't know about, I'm asking about the ones that you do

orignal maybe it reappaared before but Vort noticed it today

orignal also we see bunch of malformed DaabaseStore messages this night

zzz orignal, weko, iirc your proposal is about preventing cloned private keys on multiple routers

zzz the RIs in the zip all have unique private keys; therefore the DH will fail

zzz it doesn't matter if the "i" is cloned

orignal <Vort> дубли просто лезли при просмотре списка транспортов (моя "ловушка")

zzz => not a problem

orignal <Vort> так я эту атаку и заметил

orignal <orignal> ээто флудфилы или просто роутеры?

orignal <Vort> PfR

orignal <Vort> коннекты висят в Syn-Sent

orignal zzz it's not about private keys

orignal it's about s

orignal in addrsses

orignal DH will fail for NTCP2

orignal but not for SSU2

orignal because router address is not a part of handshake

zzz orignal, the SSU2 DH will fail

orignal please examplain where

orignal if 'i'' and 's' gets cloned

zzz oh you're right, it's 's'. My bad, I forgot

orignal and that's what the proposal about

zzz right

orignal somehow we need to tell what we are connected to

orignal to Alice

orignal or to Bob who is Alice is trying to connect to

orignal right now I do drity hack in the code

orignal I try to connect to a new floodfill through NTCP2 first

zzz yup

orignal and only if it's successiev I aloow SSU2 connection

orignal of if it was an incming connection

zzz I have 93 of them on one router

orignal but this is just a workaround not ulmimate solution

orignal 93 of what?

zzz the routers on that IP

zzz they'll all get spanked by our sybil analysis pretty quick, let me run it and see

zzz yup

orignal we had this attack year ago

zzz Threat Points: 1158.00

zzz 490.00: Same IP with 98 others

zzz 392.00: Same IPv4 /24 with 98 others

zzz 198.00: Same IPv6 /64 with 99 others

zzz 49.50: Same IPv6 /48 with 99 others

zzz 24.50: Same IPv4 /16 with 98 others

zzz 4.00: First heard about: 9 sec ago

orignal same IP is not an issue

orignal preople like to run multiple routers

orignal check of same 's'

orignal *for

zzz sure but it has to be same ip/port for it to work

zzz our sybil points threshold is 50, so they are 1108 over the limit ))

orignal you meantioned same IP only

orignal not same endpoint

zzz right.

zzz we could enhance things to look at port and s

orignal ofc same enpoint is always suspicious

orignal and same 's' on different addresses is denitly an attack

orignal RI "multihoming" is completely dufferent problem

weko So in proposal I wrote some suggested ways to fix

zzz all java routers will have them banned within 24 hours

zzz by the sybil analyzer

dr|z3d are they all floodfills?

zzz PfR

orignal dr|z3d: PRf

zzz go click run manually on the sybil page

dr|z3d ok, then what zzz said. if they're not floodfills, then they won't get picked up by the sybil detector in java i2p by default.

orignal we will implement sybli analisys somewhen

orignal zzz the problem is

orignal that you also abd real floodfill

orignal for 24 hours

orignal *ban

orignal and advsary can make you our of floodfills easuly

orignal you need to have a way to differntial real router and clones

dr|z3d not seeing any super high value sybils, but maybe that's because they're getting banned before the sybil detector sees them.

zzz orignal, weko, I ask again, is this the first time in a year for this attack?

orignal Vort has noticed it today

zzz we're not banning real floodfills

orignal last time it was noticable in May

zzz thanks

orignal how do you differente real and clone?

orignal if all have same IP

zzz we don't

orignal then you will ban all routers with this IP

orignal if I understand you right

zzz yes

orignal then you an advsary can force you to ban all floodfills easily

zzz maybe

orignal just make bunch of clones of every single floodfill

zzz fyi on stats.i2p you can see the attack started about midnight eastern

not_bob I run more than one router behind the same IP often.

orignal yes and Vort saw bunch of gzip eror by this time

orignal not_bob we same 's'? ))

orignal and same port?

not_bob No, no.

dr|z3d give him some credit, orignal :)

orignal whom? Vort?

not_bob ;)

dr|z3d not_bob..

zzz will put sybil tweaks on my todo list

dr|z3d are sybil tweaks going to be sufficient to ban clones while leaving legit routers intact?

dr|z3d or do we need a global mechanism that presumably weko/orignal's proposal suggests, which performs some validation on routers before we determine they're legit?

zzz it's orthoganal

dr|z3d ok

zzz the router that was cloned, possibly legit, first seen before today, is gDBbuc

dr|z3d ok, I see it in my netdb, banned.

dr|z3d 607 leasesets it's reporting.

zzz sure, if you're sybil has run in the last 13 hours, it's banned

dr|z3d published 237 ago when I looked.

zzz he's cranking out about 100 new routers an hour

dr|z3d oh wow, that bad.

orignal seems new attack

orignal how many floodfills do you see now?

dr|z3d around 1K here.

dr|z3d last time I was paying attention is was around 800.

dr|z3d Clone's is pumping out 100 ff clones/hr according to zzz.

zzz now about 2000/hour new

dr|z3d all on the same ID?

zzz y'all could help with the research, please look in your own netdb

snex i have 1300 floodfills

dr|z3d >>> Hy~F33 8zT0z apzSPY IOlVTK sqcg45 E90d8g

dr|z3d if you run your sybil checker, snex, that number will probably drop.

snex dropped to 864

dr|z3d now, if you do a netdb search, capabilities field -> PfR .. that may show you some of the dodgy routers, or more specifically router ids.

dr|z3d you'll see a ban icon in the header for likely suspects.

snex gives a shitload of results

dr|z3d (to the left of the "F")

snex not seeing any ban icons, but some of the P ones have arrows of various colors

dr|z3d you may only see half a dozen or so.

snex only 1 ban icon

dr|z3d the arrow is tell you the congestion status of the router in question, see /netdb for a guide.

dr|z3d by default the sybil scanner runs every 24 hours, I have it running every hour here and I'm about to push an update to /dev/ that makes every hour the default.

dr|z3d also: 2KbCu5

dr|z3d how are you mitigating the issue? just dropping excess ffs?

orignal after 1500 i2pd stops accepting new floodfills unless it's confirmed

orignal I start consider a new FF as regular router

dr|z3d how are you confirming? doing your dirty hack?

orignal and make it FF only after confirmation it's real one

orignal one of 2:

orignal 1. successfulty outgoing connect through NTCP2

orignal 2. successeful incoming connect from IP listed in RI

orignal 2 can be either NTCP2 or SSU2

dr|z3d sounds handy. what's the cost? not worth doing it for all floodfills and keeping track?

orignal below 1500 you have a risk to become oout of floodfills

dr|z3d could be a new flag, though zzz doesn't like new flags.

orignal especailly if you a new router

orignal 1500 sounds reasonable threshold

dr|z3d C for confirmed or something. we're not using C yet are we. still think V for volatile for routers that are neither R or U is worth considering.

orignal plus ofc shitty router from netdb kept being removed all the time

dr|z3d 1500 is probably a bit high.

orignal what would prevent an advesary to publish this flag?

orignal yes today's threhold should be 1000

orignal 1500 is from year ago

dr|z3d it would be a flag we assign to the router, not something they assign themselves.

orignal however it works well even with 1500

dr|z3d yup, was going to suggest 1000 is probably a good number.

orignal who is "we"? what is the authority?

dr|z3d we being our router, subject to local tests or observations or what have you.

orignal but what cap is it for?

orignal if it's internal only?

orignal it's just your local profile

dr|z3d sure, local profile, which will determine whether it should be used or not, and in what context. eg no C, don't use as ff, and maybe don't route any traffic through it. same for V.

dr|z3d or rather, no C and ff.

zzz everybody please stop blaming me for everything. I don't understand x, I don't like y, I have a policy against z. It's tiresome.

dr|z3d E90 is curious: monero.monerujo.io

dr|z3d 0.9.48

orignal blaming?

orignal but it works good so far

dr|z3d moving on, orignal, zzz said his thing. no point dwelling on it.

orignal the only mistake is 1500 rather than 1000

dr|z3d we weren't talking about that, anyways.

orignal we are talking about current situation

dr|z3d sure, let's focus on that. :)

dr|z3d 1000 is about right, that's what I see on a busy router with all the crud removed.

orignal beside this we handle good

dr|z3d it's a different strategy to sybil detection, possibly better currently, as we're just blocking all the routers with the same hash.

dr|z3d if testing ffs before using them isn't expensive, maybe it should be default behavior for all ffs.

dr|z3d java already grades ffs by reliability, reponse time etc, so adding another test could be useful.

orignal sybil attack is completely different

orignal I think testing them would produce too many connections

dr|z3d sure, but our sybil scanner picks up cloned routers.

dr|z3d you'd stagger the tests.

dr|z3d 1 router every 2s or something.

orignal yes only if you suspect clone

dr|z3d if you can pre-filter routers to test based on some criteria, great.

dr|z3d you're already pre-filtering by ff class, so that helps.

zzz I was holding off so I could see what was going on, but I've seen enough and I clicked the sybil button

zzz new record on points:

zzz Threat Points: 12800.83

zzz 5440.00: Same IP with 1088 others

dr|z3d dang that's insane.

zzz and that should bring the stats dashboard back to normal also

dr|z3d so what's the prognosis? sybil detection tweaks or something else, or both?

zzz that would be a treatment, not a prognosis ))

dr|z3d you got me.

uop23ip Wohoo. Big movements in my top netdb. Seconds ago china no.2, now canada. with half of no1 us. Counted cn in ff list 70/1800.

zzz there's the prop.165 part, the sybil part, maybe a ff selection part, maybe some store throttling, ...

zzz on the whole I think we are holding up pretty well though

snex if you wanted to run an i2p botnet, why not just make it look like regular routers

dr|z3d this is a different attack.

snex why would anyone attack i2p? we dindu nuffin

dr|z3d if you want to takedown valid floodfills, just clone their ids and wait for them to be blacklisted.

dr|z3d or if they're not blacklisted, then you'll be null routing requests all over, degrading the network.

uop23ip "valid floodfills, just clone their ids". That easy?

zzz of course the solution is RandomX PoW for new routers...

orignal looks like it's over for now

dr|z3d oh noes, not PoW.

dr|z3d can't we just do some basic tests as part of profiling?

orignal uop23ip it's not canada

orignal it's clone of Toronto's DO router

orignal they clone addesses not ids

zzz don't trust stats.i2p charts w.r.t. whether the attack is ongoing, as the IP is now banned over there

snex if youre gonna do PoW might as well have reward tokens too

snex not sure what youd spend them on

zzz maybe ordinals would help

orignal also another theory

orignal maybe the target of the attack was that partcular router

uop23ip "PoW for new routers" only for ff? New is the form of restart or new priv key?

zzz I think every new RI is a Rune