~dr|z3d
@RN_
@StormyCloud
@T3s|4
@eyedeekay
@orignal
@postman
@zzz
%Liorar
+FreefallHeavens
+Xeha
+acetone
+bak83
+cancername
+cumlord
+hk
+profetikla
+uop23ip
+weko
An0nm0n
Arch
Danny
DeltaOreo
Irc2PGuest21357
Irc2PGuest21881
Irc2PGuest43426
Leopold
Meow
Nausicaa
Onn4l7h
Onn4|7h
Over1
RN
T3s|4_
anon2
anu3
boonst
mareki2pb
not_bob_afk
poriori_
shiver_
simprelay
solidx66
thetia
tr
u5657
dr|z3d
ok, percentage bar for folders now displays in snark, next is the folder contents size.
mesh
i2p+ should include irc.echelon.i2p in the default irc channel
mesh
tunne
mesh
since irc.postman.i2p so often goes down
mesh
which raises the other issue: why is irc.postman.i2p always down? Is it the Chinese? Or is it the WEF?
snex
its never down. we just ban you sometimes
mesh
that's obviously not true. does this mean that postman has been replaced with a lizard?
dr|z3d
no, but you should check your avatar on zzzmirror.i2p
orignal
because more peopel use postman
orignal
any updates about Chinesse routers?
dr|z3d
they gone, apparently.
orignal
how?
dr|z3d
<zzz> and *poof* the china botnet shut down about 6 hours ago
orignal
lol
dr|z3d
maybe someone secretly zapped them all with an i2pd exploit.
RN
wasn't me
dr|z3d
:)
orignal
ofc since I have shown that commit
orignal
what needs to be done
orignal
submit a tag wait until tagset expires then send garlic with this tag
orignal
pretty easy
dr|z3d
maybe they got bored, maybe they got nuked.
mesh
am I really the only one having trouble with the tunnelmanager?
mesh
I've been trying to make changes to a tunnel for literally 20 minutes
mesh
every single submission results in this error: • Invalid form submission, probably because you used the 'back' or 'reload' button on your browser. Please resubmit. If the problem persists, verify that you have cookies enabled in your browser.
mesh
that error also disappears
mesh
so like if you don't see it, and then look for it later, it's not there
dr|z3d
make sure cookies are enabled, and also make sure that any browser-side privacy protections are off for the console.
mesh
dr|z3d: what privacy protections would need to be off? I'm running pretty stock stuff. And why does the tunnel manager require greater access?
mesh
anyways I just wonder if other people see this: multiple attempts to edit an existing tunnel fail consistently
dr|z3d
it shouldn't do, but who knows what the browser thinks it needs to prevent happening. click your shield in the address bar, see if turning stuff off helps.
dr|z3d
I have zero issues with editing tunnels, either locally or over ssh.
dr|z3d
if you're accessing more than one console in the same browser session, that can also cause issues in some browsers.
dr|z3d
or, similarly, if you're accessing the console from multiple browsers, problems can arise.
dr|z3d
my guess is that you've got multiple browsers open.
mesh
dr|z3d: no, there seems to be some sort of erroneous state
mesh
no matter how many times I hard reload I get 'Confirm Form Resubmission' errors
dr|z3d
if you're trying to hard refresh a form submission, all you're doing is reinvoking the same error by submitting the stale nonce.
dr|z3d
aka don't do that. load the page without the submission, hard refresh, then edit the tunnel.
dr|z3d
the erroneous state in this instance is you.
mesh
how can hard refreshing a url like localhost:7667/i2ptunnel/list cause a form submission?
mesh
hard refresh or normal refresh leads to 'Confirm Form Submission'
mesh
no matter what I do simply viewing the tunnel list leads to an error, and I can't edit any of the tunnels
mesh
somehow the tunnel manager things all attempts to even view the tunnels is an edit operation leading to 'Confirm Form Submission' followed by the disappearing 'Invalid form submission error'
dr|z3d
hit the tunnel manager button in the sidebar, don't use fwd or back buttons when attempting to edit tunnels. all else fails, use the open in new tab icon at the top right of the console main heading, see if that helps.
dr|z3d
the issue is local, in any event.
dr|z3d
local to you, that is.
dr|z3d
as for the disappearing error, it's transient, no sense in polluting the message logs with it.
dr|z3d
maybe it would be better if it was a toast-style notification, but that's a different discussion.
mesh
dr|z3d: it just leads to the situation that stuff fails and the user doesn't even notice and has no idea why
mesh
not sure how the tunnelmgr works but it seems like it can end up in a very bad state
mesh
literally the only thing that seems to work for me right now is incognito mode in a new browser window
dr|z3d
there's no bad state other than a stale nonce.
mesh
dr|z3d: the problem I'm seeing is that even when I'm not editing a form, when I'm reloading the /list url, the app thinks I'm editing a form
mesh
though I'm still seeing 'ERR_CACHE_MISS' even in incognito mode it seems to fail hard
mesh
it's all very strange, no idea what's going on. this is like the encryption keys error I was getting last time, hehe, it's just me but stuff is unusable
dr|z3d
you can also try deleting your console session cookies. ctrl+shift+i -> storage..
dr|z3d
and like I said before, don't attempt to access the console in more than one tab.
dr|z3d
if you're accessing it from more than one place, issues.
dr|z3d
it *might* be ok in the same browser session, but definitely won't be if one of the tabs is incognito and the other isn't, but it depends on how your browser implements tab isolation.
orignal
zzz, new attack of clones
orignal
Vort has collected the list
orignal
can you take a look?
orignal
and this is about the proposal weko has written a while ago
weko
Finally someone will do something
weko
I hope
orignal
at least zzz wanted an evidence
orignal
here the evidence
dr|z3d
seeing elevated traffic flows just now, maybe that's another indication.
dr|z3d
not globally, but still.
orignal
we are talking about the particular problem
orignal
zzz doesn't want to take it seriously
zzz
orignal, weko, if you want to move a proposal forward, work with eyedeekay to schedule a review meeting, don't just "hope"
zzz
this is not about me
orignal
zzz have you take a looked at this list of RIs?
dr|z3d
yeah, I vaguely recall zzz asking for a written proposal to address the issue multiple times, or am I wrong?
orignal
it's not about the proposal itself
orignal
it's about the problem we have now
orignal
yes and weko has written it
orignal
but now we have this problem again
orignal
e.g. it's not a theretical issue
dr|z3d
ah, ok, that one. great. so schedule a meeting, get the proposal taken forwward.
orignal
please take a look at the problem now
zzz
orignal, while we're talking about proposals, please review my updates to proposal 163 (datagram 2), I'd like to schedule a review for it also
zzz
orignal, I've downloaded the zip
dr|z3d
when privatebin takes several minutes to load, I give up.
zzz
orignal, weko, is this the first time the problem has reappeared in a year?
weko
Is it matter? I guess it enough critical for fix without practical appear whatever
dr|z3d
I don't think zzz's trying to dodge addressing the issue, weko, he's just asking if for a synopsis.
zzz
yes, the history of the problem and its effects are important
dr|z3d
first time in the past year [ ] yes [ ] no (tick one box ONLY)
weko
orignal know better
zzz
if you want a proposal adopted, answer reviewers questions, don't tell them it doesn't matter
weko
i2pd have some fix already, and Vort said that we can't know it
zzz
then how did you know about this one today?
weko
Randomly
weko
By accident*
orignal
I have read your proposal few days ago
zzz
I'm not asking about the attacks you don't know about, I'm asking about the ones that you do
orignal
maybe it reappaared before but Vort noticed it today
orignal
also we see bunch of malformed DaabaseStore messages this night
zzz
orignal, weko, iirc your proposal is about preventing cloned private keys on multiple routers
zzz
the RIs in the zip all have unique private keys; therefore the DH will fail
zzz
it doesn't matter if the "i" is cloned
orignal
<Vort> дубли просто лезли при просмотре списка транспортов (моя "ловушка")
zzz
=> not a problem
orignal
<Vort> так я эту атаку и заметил
orignal
<orignal> ээто флудфилы или просто роутеры?
orignal
<Vort> PfR
orignal
<Vort> коннекты висят в Syn-Sent
orignal
zzz it's not about private keys
orignal
it's about s
orignal
in addrsses
orignal
DH will fail for NTCP2
orignal
but not for SSU2
orignal
because router address is not a part of handshake
zzz
orignal, the SSU2 DH will fail
orignal
please examplain where
orignal
if 'i'' and 's' gets cloned
zzz
oh you're right, it's 's'. My bad, I forgot
orignal
and that's what the proposal about
zzz
right
orignal
somehow we need to tell what we are connected to
orignal
to Alice
orignal
or to Bob who is Alice is trying to connect to
orignal
right now I do drity hack in the code
orignal
I try to connect to a new floodfill through NTCP2 first
zzz
yup
orignal
and only if it's successiev I aloow SSU2 connection
orignal
of if it was an incming connection
zzz
I have 93 of them on one router
orignal
but this is just a workaround not ulmimate solution
orignal
93 of what?
zzz
the routers on that IP
zzz
they'll all get spanked by our sybil analysis pretty quick, let me run it and see
zzz
yup
orignal
we had this attack year ago
zzz
Threat Points: 1158.00
zzz
490.00: Same IP with 98 others
zzz
392.00: Same IPv4 /24 with 98 others
zzz
198.00: Same IPv6 /64 with 99 others
zzz
49.50: Same IPv6 /48 with 99 others
zzz
24.50: Same IPv4 /16 with 98 others
zzz
4.00: First heard about: 9 sec ago
orignal
same IP is not an issue
orignal
preople like to run multiple routers
orignal
check of same 's'
orignal
*for
zzz
sure but it has to be same ip/port for it to work
zzz
our sybil points threshold is 50, so they are 1108 over the limit ))
orignal
you meantioned same IP only
orignal
not same endpoint
zzz
right.
zzz
we could enhance things to look at port and s
orignal
ofc same enpoint is always suspicious
orignal
and same 's' on different addresses is denitly an attack
orignal
RI "multihoming" is completely dufferent problem
weko
So in proposal I wrote some suggested ways to fix
zzz
all java routers will have them banned within 24 hours
zzz
by the sybil analyzer
dr|z3d
are they all floodfills?
zzz
PfR
orignal
dr|z3d: PRf
zzz
go click run manually on the sybil page
dr|z3d
ok, then what zzz said. if they're not floodfills, then they won't get picked up by the sybil detector in java i2p by default.
orignal
we will implement sybli analisys somewhen
orignal
zzz the problem is
orignal
that you also abd real floodfill
orignal
for 24 hours
orignal
*ban
orignal
and advsary can make you our of floodfills easuly
orignal
you need to have a way to differntial real router and clones
dr|z3d
not seeing any super high value sybils, but maybe that's because they're getting banned before the sybil detector sees them.
zzz
orignal, weko, I ask again, is this the first time in a year for this attack?
orignal
Vort has noticed it today
zzz
we're not banning real floodfills
orignal
last time it was noticable in May
zzz
thanks
orignal
how do you differente real and clone?
orignal
if all have same IP
zzz
we don't
orignal
then you will ban all routers with this IP
orignal
if I understand you right
zzz
yes
orignal
then you an advsary can force you to ban all floodfills easily
zzz
maybe
orignal
just make bunch of clones of every single floodfill
zzz
fyi on stats.i2p you can see the attack started about midnight eastern
not_bob
I run more than one router behind the same IP often.
orignal
yes and Vort saw bunch of gzip eror by this time
orignal
not_bob we same 's'? ))
orignal
and same port?
not_bob
No, no.
dr|z3d
give him some credit, orignal :)
orignal
whom? Vort?
not_bob
;)
dr|z3d
not_bob..
zzz
will put sybil tweaks on my todo list
dr|z3d
are sybil tweaks going to be sufficient to ban clones while leaving legit routers intact?
dr|z3d
or do we need a global mechanism that presumably weko/orignal's proposal suggests, which performs some validation on routers before we determine they're legit?
zzz
it's orthoganal
dr|z3d
ok
zzz
the router that was cloned, possibly legit, first seen before today, is gDBbuc
dr|z3d
ok, I see it in my netdb, banned.
dr|z3d
607 leasesets it's reporting.
zzz
sure, if you're sybil has run in the last 13 hours, it's banned
dr|z3d
published 237 ago when I looked.
zzz
he's cranking out about 100 new routers an hour
dr|z3d
oh wow, that bad.
orignal
seems new attack
orignal
how many floodfills do you see now?
dr|z3d
around 1K here.
dr|z3d
last time I was paying attention is was around 800.
dr|z3d
Clone's is pumping out 100 ff clones/hr according to zzz.
zzz
now about 2000/hour new
dr|z3d
all on the same ID?
zzz
y'all could help with the research, please look in your own netdb
snex
i have 1300 floodfills
dr|z3d
>>> Hy~F33 8zT0z apzSPY IOlVTK sqcg45 E90d8g
dr|z3d
if you run your sybil checker, snex, that number will probably drop.
snex
dropped to 864
dr|z3d
now, if you do a netdb search, capabilities field -> PfR .. that may show you some of the dodgy routers, or more specifically router ids.
dr|z3d
you'll see a ban icon in the header for likely suspects.
snex
gives a shitload of results
dr|z3d
(to the left of the "F")
snex
not seeing any ban icons, but some of the P ones have arrows of various colors
dr|z3d
you may only see half a dozen or so.
snex
only 1 ban icon
dr|z3d
the arrow is tell you the congestion status of the router in question, see /netdb for a guide.
dr|z3d
by default the sybil scanner runs every 24 hours, I have it running every hour here and I'm about to push an update to /dev/ that makes every hour the default.
dr|z3d
also: 2KbCu5
dr|z3d
how are you mitigating the issue? just dropping excess ffs?
orignal
after 1500 i2pd stops accepting new floodfills unless it's confirmed
orignal
I start consider a new FF as regular router
dr|z3d
how are you confirming? doing your dirty hack?
orignal
and make it FF only after confirmation it's real one
orignal
one of 2:
orignal
1. successfulty outgoing connect through NTCP2
orignal
2. successeful incoming connect from IP listed in RI
orignal
2 can be either NTCP2 or SSU2
dr|z3d
sounds handy. what's the cost? not worth doing it for all floodfills and keeping track?
orignal
below 1500 you have a risk to become oout of floodfills
dr|z3d
could be a new flag, though zzz doesn't like new flags.
orignal
especailly if you a new router
orignal
1500 sounds reasonable threshold
dr|z3d
C for confirmed or something. we're not using C yet are we. still think V for volatile for routers that are neither R or U is worth considering.
orignal
plus ofc shitty router from netdb kept being removed all the time
dr|z3d
1500 is probably a bit high.
orignal
what would prevent an advesary to publish this flag?
orignal
yes today's threhold should be 1000
orignal
1500 is from year ago
dr|z3d
it would be a flag we assign to the router, not something they assign themselves.
orignal
however it works well even with 1500
dr|z3d
yup, was going to suggest 1000 is probably a good number.
orignal
who is "we"? what is the authority?
dr|z3d
we being our router, subject to local tests or observations or what have you.
orignal
but what cap is it for?
orignal
if it's internal only?
orignal
it's just your local profile
dr|z3d
sure, local profile, which will determine whether it should be used or not, and in what context. eg no C, don't use as ff, and maybe don't route any traffic through it. same for V.
dr|z3d
or rather, no C and ff.
zzz
everybody please stop blaming me for everything. I don't understand x, I don't like y, I have a policy against z. It's tiresome.
dr|z3d
E90 is curious: monero.monerujo.io
dr|z3d
0.9.48
orignal
blaming?
orignal
but it works good so far
dr|z3d
moving on, orignal, zzz said his thing. no point dwelling on it.
orignal
the only mistake is 1500 rather than 1000
dr|z3d
we weren't talking about that, anyways.
orignal
we are talking about current situation
dr|z3d
sure, let's focus on that. :)
dr|z3d
1000 is about right, that's what I see on a busy router with all the crud removed.
orignal
beside this we handle good
dr|z3d
it's a different strategy to sybil detection, possibly better currently, as we're just blocking all the routers with the same hash.
dr|z3d
if testing ffs before using them isn't expensive, maybe it should be default behavior for all ffs.
dr|z3d
java already grades ffs by reliability, reponse time etc, so adding another test could be useful.
orignal
sybil attack is completely different
orignal
I think testing them would produce too many connections
dr|z3d
sure, but our sybil scanner picks up cloned routers.
dr|z3d
you'd stagger the tests.
dr|z3d
1 router every 2s or something.
orignal
yes only if you suspect clone
dr|z3d
if you can pre-filter routers to test based on some criteria, great.
dr|z3d
you're already pre-filtering by ff class, so that helps.
zzz
I was holding off so I could see what was going on, but I've seen enough and I clicked the sybil button
zzz
new record on points:
zzz
Threat Points: 12800.83
zzz
5440.00: Same IP with 1088 others
dr|z3d
dang that's insane.
zzz
and that should bring the stats dashboard back to normal also
dr|z3d
so what's the prognosis? sybil detection tweaks or something else, or both?
zzz
that would be a treatment, not a prognosis ))
dr|z3d
you got me.
uop23ip
Wohoo. Big movements in my top netdb. Seconds ago china no.2, now canada. with half of no1 us. Counted cn in ff list 70/1800.
zzz
there's the prop.165 part, the sybil part, maybe a ff selection part, maybe some store throttling, ...
zzz
on the whole I think we are holding up pretty well though
snex
if you wanted to run an i2p botnet, why not just make it look like regular routers
dr|z3d
this is a different attack.
snex
why would anyone attack i2p? we dindu nuffin
dr|z3d
if you want to takedown valid floodfills, just clone their ids and wait for them to be blacklisted.
dr|z3d
or if they're not blacklisted, then you'll be null routing requests all over, degrading the network.
uop23ip
"valid floodfills, just clone their ids". That easy?
zzz
of course the solution is RandomX PoW for new routers...
orignal
looks like it's over for now
dr|z3d
oh noes, not PoW.
dr|z3d
can't we just do some basic tests as part of profiling?
orignal
uop23ip it's not canada
orignal
it's clone of Toronto's DO router
orignal
they clone addesses not ids
zzz
don't trust stats.i2p charts w.r.t. whether the attack is ongoing, as the IP is now banned over there
snex
if youre gonna do PoW might as well have reward tokens too
snex
not sure what youd spend them on
zzz
maybe ordinals would help
orignal
also another theory
orignal
maybe the target of the attack was that partcular router
uop23ip
"PoW for new routers" only for ff? New is the form of restart or new priv key?
zzz
I think every new RI is a Rune