fox
anyone have slow's addressbook? or whatever is popular now
RN
notbob stats and reg I think are the working ones now I think
fox
*** wishes to explore before the possible rise of the 4th reich ***
fox
i'll look for those then
RN
notbob.i2p has an index, a blog with site reviews and an addressbook subscription
RN
you should remember stats (default for Canon java i2p)
fox
stats has been around forever yeah
RN
and reg, well, it may cause conflicts with older addresses
fox
i'll poke around notbob then
dr|z3d
if you want in-network news, planeta.i2p isn't bad.
RN
yeah, notbob is safe, reg is 'use at your own risk'
RN
planeta does look nicer than planet
RN
I still use both
dr|z3d
ok, this one looks dubious: fRcfUYTkKGHiuMn--vwfYRS1YxvqBbQL7LUNpkgMVe8=
dr|z3d
XG, and yet it's requesting a huge amount of tunnels.
dr|z3d
so much for the b/w attack disappearing, orignal, appears to be ramping up.
dr|z3d
either that or we've got a new cohort of users all downloading furiously, 24/7.
hk
dr|z3d: seems like it subsided for a bit, then came back hpdbe6o6qqqqvgygbcznssat46kybsm7rcauofqaoly4ajdi2jeq.b32.i2p/file/T7pL3zTmG8_kRNW6lNXadutenrM989mOCj97YR7MQ_BeXXJlRNlg/attack.png
dr|z3d
yeah, ebbs and flows, hk.
hk
damn, brutal
dr|z3d
what's up with your graph, that should be svg.
hk
oh ahahahahah i literally did a screencap in flameshot
hk
i didnt think it through and realize I could just save the image directly
hk
:p
dr|z3d
ah, ok, figured as much. fonts are also off.
hk
interesting
dr|z3d
you may need to install whatever the default is for java i2p
hk
ah that probably explains why the timestamp is cropped off, thanks
hk
dr|z3d: woah, quite different
dr|z3d
the graph, or the datapoints, or both?
hk
oh I was just commenting on the visuals, but besides that our graphs do have correlation at the suspected at after 18:00
dr|z3d
yeah, somewhat different in plus, the graphs. I'm quantizing the data when the period extends beyond a day iirc, so it reads easier. and various other visual tweaks.
hk
but yours does not continue in bandwidth spikes, instead calms down while mine continuously spikes without rest
hk
idk just a layman's observation, it's intriguing
dr|z3d
that's just one router, but sure, the b/w spread isn't consistent across the entire netork.
dr|z3d
we're also a bit more aggressive with the bans in +, so there's also that.
hk
do have correlation at the suspected attack*. re: quantizing data, have you considered something like a simple moving average or would that not have much utility in measuring bandwidth?
hk
ah, very interesting on the ban part. I wonder if it's meaningful to give the end user the ability to ban more or less; im not aware if such options exist already but yea
dr|z3d
re quantizing data, I'm just using existing rrd4j methods to prevent data overload on the graphs.
dr|z3d
in canon i2p, you don't get much in the way of knobs to tweak for banning.
dr|z3d
in +, you have router.banOldRouters={true|false} and maybe some other stuff.
dr|z3d
sorry, not banOldRouters..
dr|z3d
router.blockOldRouters={true|false}
dr|z3d
When set to false, the router will not block tunnel build requests from slower or unreachable routers running older versions. [Default is true, restart required]
dr|z3d
you've also got: i2np.blockMyCountry={true|false}
dr|z3d
and router.blockCountries={countrycode,countrycode2}
hk
hm hm
dr|z3d
and: router.enableTransitThrottle={true|false}
dr|z3d
When set to false, the router will not throttle tunnel build requests from other routers, and should be used with caution. [Default is true, restart required]
hk
definitely seems useful to me, I mean just by this anecdotal comparison we just made with our graphs (I know there are many variables at play) it really does seem that restrictions can play to a more stable router
hk
restrictions on peers*
hk
appears to be a careful balance
dr|z3d
sure, there's no one size fits all, it's a question of adjusting and tweaking all the time, with current network conditions as a factor to consider.
dr|z3d
in + we're a bit more generous before we start throttling routers for making too many requests.. we also scale the max requests depending on b/w tier.. you have to make a large number of requests in excess of the max (when you're being told "no") to get banned.
hk
very meritocracal, I like it
dr|z3d
well, if you're hosting/requesting a huge number of tunnels and you're L tier, maybe you're lying about your bandwidth.
hk
thats right
dr|z3d
and if you're lying, then you're up to no good :)
hk
haha
hk
So in general terms, I know in p2p networks there can be a concept of a "supernode" or a node with elevated privileges
hk
I wanted to ask if i2p+ has anything adjacent to that with peer profiling?
hk
I guess a node that is donating more and can be trusted more can be given more leeway in a sense or something like that
hk
again im a complete novice, just trying to understand i2p more
hk
I understand that can be abused to in a sybil attack
hk
so theres that
hk
elevation attack or agh, i cantremember the name but something to do with reputation
hk
flooding a network to give more reputation to your own malicious node and elevating its privileges, so it's not without possible harm I guess
dr|z3d
well, fast (bw tier) peers get profiled and used for local tunnels, slower peers don't get profiled.
dr|z3d
we don't use slower tier peers for local tunnels.
hk
ah I see
dr|z3d
profiling itself is somewhat hit and miss, anyways. you need to be pulling a lot of data down to get profiling data.
dr|z3d
failing that, in + we do some peer tests to check latency and promote peers with low latency so they're likely to be used more.
hk
ahh so that's how you get around with not having to use too much data, I know there can be a problem of collecting too much data in a privacy focused network
hk
kind of like how the canon i2p implementation uses a modified kademlia dht for this very reason iirc
dr|z3d
not so much privacy focused, it's more a question of ram usage and related page load times when you've got a lot of data to display.
dr|z3d
you run a router on the network, expect to be profiled to some degree unless you're in hidden mode. that's not incompatible with privacy.
dr|z3d
so you take a view on what's interesting and relevant, and what's not worth keeping/profiling.
hk
fair enough
orignal
new attack?
orignal
zzz, my results of investigation
orignal
1. I was not able to repoduce the problem if I receive multipple acks from Bob and keep resending
orignal
2. I only resend if I don't receive acks but all peers was of older versions
orignal
3. In your scenario mabe that peer really didn't receive ack due to a communication problems however it would be nice if you double check if acks really went our from your side
orignal
let me show some example
orignal
SSU2: Ack from JOtf ackThrough 0
orignal
SSU2: Session with 145.40.231.246:19843 (JOtf) established
orignal
it's clear that it was Ack for SessionConformed
orignal
then I send
orignal
SSU2: RelayRequest sent to JOtf 1
orignal
then I receive
orignal
SSU2: Ack from JOtf ackThrough 0
orignal
SSU2: I2NP message
orignal
NetDb: Store request: RouterInfo JOtfqXUgG3Ot-~bi2e4ObSH1j89qveATNMuc9bB4vzg=
orignal
simply speakin it's Bob's RI
orignal
and it's definitly Java because i2pd sends it as a block
orignal
buck ackTrough is still 0. seems it didn't receive my RelayRequest yet
orignal
since it was I2NP I send Ack back
orignal
next second I resend RelayRequest
orignal
SSU2: Resent 4 to JOtf
orignal
and keep ressending it and never get acks back
orignal
and then termoinate
orignal
SSU2: Session with 145.40.231.246:19843 (JOtf) terminated
orignal
JOtf is router.version=^F0.9.62
orignal
and JOtf seems Java
zzz
no, it's i2pd
zzz
Addresses:NTCP2: cost: 3 host: 145.40.231.246 i: hBzNk52N0IBZK1WLC2vCMw== port: 19843 s: K9btCaSvRu4XrdtELKZ8L4nyr5TkuQ0Uo5Jl69yyNW4= v: 2
zzz
NTCP2: cost: 3 host: 2a00:d4e0:125:3815:8aae:ddff:fe03:eb7b i: hBzNk52N0IBZK1WLC2vCMw== port: 19843 s: K9btCaSvRu4XrdtELKZ8L4nyr5TkuQ0Uo5Jl69yyNW4= v: 2
zzz
SSU2: cost: 8 caps: C host: 145.40.231.246 i: t0gdN-KeAQcc0woUqdZW8qFOgwES-zIb8vO02OaDrYY= port: 19843 s: lzykwSE6G45alT9pjvmazJJQQTuO6mt-d~y0JR7wPz8= v: 2
zzz
SSU2: cost: 8 caps: BC host: 2a00:d4e0:125:3815:8aae:ddff:fe03:eb7b i: t0gdN-KeAQcc0woUqdZW8qFOgwES-zIb8vO02OaDrYY= mtu: 1500 port: 19843 s: lzykwSE6G45alT9pjvmazJJQQTuO6mt-d~y0JR7wPz8= v: 2
orignal
caps: C
orignal
and RI as I2NP
orignal
I see plenty of such cases
zzz
NTCP2 Cost: 3
zzz
netdb.knownRouters = 15445
orignal
what's wrong with knoerouters?
zzz
java usually isn't that much
zzz
but java will never do ntcp2 cost 3, that's you
orignal
let me find another example
orignal
but see, in your scenarion it looks like this
orignal
for example xocS
orignal
I get
orignal
SSU2: RelayRequest sent to xocS 1
orignal
SSU2: RouterInfo
orignal
NetDb: RouterInfo updated: xocSFWv-FF7~bADzq4xsiL6bH65BB0T90WiprHfc3to=
orignal
it clearly i2pd
orignal
because RI is block
orignal
and no Ack
orignal
while JOtf looks like Java'
orignal
or some modifed code
zzz
my dup relay req detector is working, seeing about 5 dups/hour
zzz
11/03 09:44:07.200 Receive relay request from 146.70.163.91:5296 xJrHmO
zzz
11/03 09:44:07.233 Got relay response 0 as bob, forward nonce 37528592 to 146.70.163.91:5296 xJrHmO
zzz
11/03 09:44:07.746 Dropping dup relay request from 146.70.163.91:5296 xJrHmO IB2
dr|z3d
handy
dr|z3d
that making it into git?
orignal
great
zzz
seems like it but I also added a dup relay response check that isn't being hit, have to figure out if it's not working or not necessary
orignal
please tell me how you send RI after handshake
zzz
who am I?
orignal
Java
orignal
Bob
orignal
I connect send relay request immidiately
orignal
then get packet with RI and Ack for ackThrough 0
orignal
so do you send this packet immediately?
zzz
so I (Bob) send alice RI and relay intro to charlie. what's the question?
orignal
I'm asking about handshake
orignal
you receive SessionConfirmed
orignal
and send Ack
orignal
aftter that you send own RI also with Ack block
orignal
my question is when you do it
zzz
ok, looking...
orignal
and secons question why do you send Ack twice
zzz
yes we send RI immediately
orignal
then why not together with Ack for SessionConfirmed?
orignal
it's confusing to received ackthough 0 twice
zzz
looking...
zzz
yeah we send ack 0 separately. The spec talks about it a lot. The spec doesn't talk about sending your RI
orignal
not a big deal just asking why
orignal
and in most case RelayRequst gets acked and never resent again
zzz
the ack 0 is where we send the relay tag if he asked for it. its a good point, may be worth combining them
zzz
still finding some leftover ssu 1 stuff to get rid of too, not quite done
zzz
and yes the attack turned back on, knocked 20 points off expl. build success. I can't find fRcf though
orignal
what if fRcf?
dr|z3d
that's a router I mentioned earlier.
zzz
some router dr|z3d was pointing finger at
dr|z3d
XG, demanding a ton of transit tunnels.
orignal
I can tell you what is XG
orignal
and that's right
orignal
it couldn't be founf at floodfiils
dr|z3d
maybe it's disappeared.
orignal
no
dr|z3d
we can't rule out the possibility whoever's running the attack is keeping an eye on this channel.
orignal
i2pd publishes G for routersthrough proxy
orignal
and since no R or U it's definitly the one
dr|z3d
the words marzipan and dildo come to mind.
orignal
?
dr|z3d
XG routers..
orignal
so the guys behind it is an idiot
orignal
X for router through proxy
orignal
that doesn't accept transit at all
dr|z3d
you're not familiar with the expression "about as useful as a marzipan dildo"?
orignal
no, I'm not a native english speaker
dr|z3d
think about it...
dr|z3d
yup, yup.
dr|z3d
another idiot: vEVDcDjjkjW7s1vDs2NNLzM-E9P8uvSzQxslKJSZYq8=
dr|z3d
I know you're not, orignal, that's why I take some time to increase to explain things :)
orignal
I don't see at my FF
orignal
how do you see them?
orignal
are they all connected to you?
orignal
i2pd 20 0 1249296 176180 6016 S 12.2 8.6 183:44.52 SSU2r
orignal
wow. that' something new
orignal
looks like someone floods with UDP packets
dr|z3d
dunno where increase came from, ignore that word.
dr|z3d
"as useful as a marzipan dildo / chocolate teapot" is a colloquial way of say "fucking useless".
orignal
that thread does nothing but takes UDP packets from buffer
dr|z3d
First heard about: 6 min ago Last heard about: 6 min ago Last heard from: 301 ms ago
orignal
do you see thier actual IP?
orignal
but how did you hear?
dr|z3d
no ip, either published or via transport.
orignal
then how did you find out about it?
dr|z3d
it's in my netdb.
dr|z3d
maybe it sent over an RI.
dr|z3d
zzz: got a moment to cast an eye over my likely naive LS partial match method?
orignal
but who sent it?
dr|z3d
dunno
orignal
zzz, what error code do you send if nonce already exists?
orignal
because no code like "duplicate nonce"
zzz
am I bob or charlie?
zzz
dr|z3d, you'll never get to that new code, because convertToHash(prefix of some sort) will return null. If it gets a hash it isn't partial.
orignal
bob
orignal
to relay request
dr|z3d
yeah, thanks, zzz, figured it wasn't doing the job.
dr|z3d
aka "naive" :)
orignal
caps=46
orignal
Vort has collected this XG guyes
orignal
connected to him
orignal
you guys can take a look
orignal
<Vort> [2a02:6ea0:f207::d001]
orignal
their IP
zzz
if I check in the code I'm working on, then a dup nonce at bob will be acked and dropped
orignal
no RelayResponse being sent?
zzz
no
zzz
but we'll see
dr|z3d
tell vort to use cake, orignal. privatebin is shit.
dr|z3d
first I have to enable js, then I have to download the attachment. fuck that.
orignal
it's just FYI
orignal
all these XG routers are connected through NTCP2 v6
orignal
то уou don't
orignal
that's the i2p link
dr|z3d
exactly.
dr|z3d
I don't want to have to jump through hoops to view a paste.
orignal
paste.i2pd.xyz and privatebin.i2p is the same thing
dr|z3d
I know. it's not the site, it's the implementation.
dr|z3d
I might reluctantly enable js, but I'm not going to enable js and then download an attachment just to see a paste.
orignal
up to you
dr|z3d
like I said, tell vort to use cake.i2p in future. up to him.
orignal
it's archive of XG RIs
orignal
if you guys don't care it's fine
dr|z3d
I have my own collection, but thanks.
orignal
do you see caps=46 there?
orignal
do you see SSU2?
dr|z3d
let's have a look at: WWPvSr9Pc4f4mihY3yDNc46qxIdjoOlx4mPI3nfPh6E=
dr|z3d
Addresses:
dr|z3d
NTCP2 caps: 46 s: 1hXHJ9Xqrf-dzjQPYMNE9WfXEQw9HK6JxVah6iB~6WM= SSU2 caps: 46 MTU: 1478 i: T1L-kf5m93dgVgT5gh5CKKj4HlbSOFpiUi6K8tUX1DU= s: NKbvm6sHpJTfF7RwfsAubdxE67AmODexmJgr9lQMfyA=
dr|z3d
Stats:
dr|z3d
First heard about: 39 min agoLast heard about: 39 min agoLast heard from: 2534 ms ago
orignal
seems same monkey
orignal
SSU2
dr|z3d
And due to recent changes in my workspaced, also banned.
orignal
proxy rarely support UDP
dr|z3d
Another monkey: 2avtvyGZepl0AB-a2h9GEtSF7MbYMSBkXxUdwX8UzZQ=
dr|z3d
46/NTCP/SSU2
orignal
monkey don't understand that SSU2 doesn't work though the Tor
orignal
because monkey
orignal
what was the reason of ban?
orignal
Tor IP?
dr|z3d
no, ban is because XG and not R and no U.
orignal
would you ban ygg routers?
orignal
great
orignal
"dumb and dumber"
dr|z3d
oh, actually, no, it's banned because no router version.
dr|z3d
ygg routers wouldn't appear in my netdb.
dr|z3d
so no.
orignal
router.version=0.9.64
orignal
I see it everywhere in Vort's list
orignal
didn't know that R or U is a requirement
orignal
zzz, eyedeekay please confirm
dr|z3d
I see version here, so I'm probably wrongly tagging the ban reason.
orignal
please find out the actual reason
orignal
can I just publish H instead R or U?
dr|z3d
and the criteria for the current test ban is X + G + !R + !U.
dr|z3d
like we've already established, XG is useless.
orignal
and ygg router
orignal
сan be XG
orignal
router through proxy also can be XG
orignal
and no it's not usealles because it can connect to you
zzz
we don't ban ygg, we don't require R/U
dr|z3d
sure, orignal, it can connect to me, it can request tunnels from me, but it's G. there's something not right.
RN
I want my router to be O.G.
RN
;)
orignal
what exactly is not right? It says G and that's it
orignal
RN not a problem I can run OG router ))
orignal
dr|z3d are you going to ban all "G" routers?
dr|z3d
orignal: no.
dr|z3d
G isn't the problen.
dr|z3d
a router that's neither R nor U, X tier, G, and demanding tunnels is the problem.
orignal
please explain why
dr|z3d
if you're G, you're basically saying "no tunnels".
dr|z3d
so why are you asking for tunnels?
orignal
no transit tunnels
orignal
because I need tunnels for my local destination
dr|z3d
right. and what I've observed is these routers requesting a huge number of tunnels.
orignal
but don't/can't participate
orignal
huge number of tunnel is another issue
orignal
bur how is it related to R, U or G caps?
orignal
ofc G router can requests only own tunnels
orignal
but you said it was banned because G and no R or U
dr|z3d
like I said, workspace testing. G, neither R nor U, and X.
orignal
baning XG itself deosn't make sense
dr|z3d
are you actually listening?
orignal
yes
orignal
and I can't get your point
dr|z3d
I'm not banning XG, I'm currently testing banning XG !R!U
orignal
<orignal> but you said it was banned because G and no R or U
orignal
you says the same thing router caps is XG
orignal
just because caps = XG
dr|z3d
all four conditions need to be met.
dr|z3d
X, G, !R, !U
orignal
that caps=XG
orignal
right?
orignal
if you caps = XG you ban such router
orignal
btw, what would happen if I publish G cap only
dr|z3d
this is why I was proposing a !R!U cap.
orignal
without bandwidth
orignal
dr|z3d yes or no?
dr|z3d
yes or no what, orignal?
dr|z3d
yes I like pie.
orignal
<orignal> if you caps = XG you ban such router
orignal
that's my question
orignal
do you ban a router if caps=XG?
dr|z3d
I've already told you. X + G + !U + !R.
orignal
answer concrete qusetion
dr|z3d
don't make me hurt you.
dr|z3d
:)
orignal
do you ban a router because caps=XG or caps=GX ?
orignal
without other condition
dr|z3d
If an XG router has neither R nor U caps, yes, that's currently the ban condition I'm testing.
orignal
than I sould start bypassing I2P+ routers completely
orignal
enough insanity for me
orignal
zzz, now question for you if caps=G is valid?
dr|z3d
like I said before, I'm _testing_ this.
orignal
than you should conclude that test failed
dr|z3d
really, a router that's G cap should never be able to publish X tier.
orignal
nothing illegal or bad if caps=XG
orignal
that what tier should it publish?
orignal
see my question to zzz
dr|z3d
I told you, I've been watching XG!U!R routers request more than a reasonable amount of tunnels lately. I think it may be part of the attack.
orignal
then you should check amount of tunnels first
dr|z3d
what tier should it publish? won't handle any transit requests? L, or maybe even K.
orignal
btw, what does this banndwidth cap mean in specs?
dr|z3d
X?
orignal
yes
orignal
how much you can participate or just your local bandwidth?
dr|z3d
unlimited bandwidth available.
orignal
my proposal to now publish any tier
orignal
available for?
orignal
for transit or own traffic?
dr|z3d
well, you're publishing that in your routerinfo, so you're advertizing your capability to other peers.
orignal
I can sit on 10 Gbs line and not participate to tunnels for ownb reason
dr|z3d
and your class is set by your upstream b/w, download b/w is separate.
orignal
should I publish X or not?
dr|z3d
if you're not offering unlimited bandwidth, no, you shouldn't be publishing X.
orignal
my bandwidth is good but I don't participate
orignal
for example because I live in batustan
orignal
than we come to the question if I'm allowef to not publish bandwidth at all
dr|z3d
if you're G, you might as well advertize as K.
dr|z3d
because you're doing nothing useful for the network.
orignal
again can I not publush at all?
dr|z3d
ask zzz
orignal
already did
dr|z3d
I'd just publish K, or why not hide yourself instead.
dr|z3d
because you are a marzipan dildo from the network's perspective.
orignal
btw we use this cap
orignal
to detect if transport session is slow
orignal
if actual bandwidth we see if slower than declared we mark it as slow
dr|z3d
well, extend that to also detecting if the router is publishing G, perhaps?
orignal
no, why?
orignal
if we partcipate it's tunnel
orignal
we know if it's slow or not
orignal
G or not G doesn't matter
dr|z3d
you're detecting if the transport is slow and downgrading the published b/w tier if I understand you correctly, so a router that's G is, to all intents and purposes, also slow and should be avoided.
dr|z3d
as an alternative strategy, instead of banning XG!R!U instantly, we can cut them some slack and treat them as slow routers wrt the number of tunnels we'll host for them before rejecting requests.
dr|z3d
how about that instead?
orignal
yes, that's much better
orignal
they should have limit of tunnels because they can only build thier own
dr|z3d
sure, that's the alternative strategy. treat them like L class routers.
orignal
I also think maybe publish H if through proxy
dr|z3d
yeah, that's a good idea.
orignal
bassically if a router works in -stan mode
orignal
not necessary proxy
zzz
debate with drz as you like but please don't keep asking me if I do what he does because I probably don't
orignal
zzz, I'm asking you concrete qustion
orignal
if bandwidth is requirement
orignal
or such router will be considered as malformed
orignal
and this question is to you not to him
orignal
e.g. can I publish just caps=G
zzz
you can research the specs to see whether it's required or recommended
zzz
I don't think my code would ban it, but not sure how it would be treated
zzz
if it's a serious question, I suggest you test it and see, that's a better way to find out than to ask me ))
zzz
you can research the specs to see whether it's required or recommended
zzz
I don't think my code would ban it, but not sure how it would be treated
zzz
if it's a serious question, I suggest you test it and see, that's a better way to find out than to ask me ))
orignal
yes, it's a serious question, because I thought about it alrready
orignal
not ban just consider malformed
orignal
like if you don't have "version" in RI
orignal
remeber we have "G" caps not so long
dr|z3d
I don't like routers without versions.
zzz
we don't really have a concept of malformed. Either it parses, has netid=2, and has a valid sig, or it doesn't.
zzz
but again, the netdb spec may give you some clues
orignal
I doubt that specs mention bandidth caps in case of G
dr|z3d
you were asking about bandwidth (tier) caps.
dr|z3d
G isn't a bandwidth cap per se.
dr|z3d
when a tunnel request is declined, orignal, what do you do? stop sending requests?
orignal
no
orignal
add this info to profile
orignal
and if always decline stop sending for a while like 72 hours
dr|z3d
so you just carry on blasting out requests?
orignal
yes, but to random routers
dr|z3d
so not to the same router that's just declined a tunnel request?
dr|z3d
let's say for example I set a limit of 30 requests per 10m.. I don't, but it's a useful enough example..
dr|z3d
and you request 31, 32.. and I decline those.. how long does it take you to stop sending requests, and how long do you wait before sending new requests?
dr|z3d
ie, what's your backoff stategy?
dr|z3d
fyi.
orignal
not sure need to check
orignal
bool IsAlwaysDeclining () const { return !m_NumTunnelsAgreed && m_NumTunnelsDeclined >= 5; };
orignal
5 declines in row
dr|z3d
ok, that's within reasonable limits. no bans for you.
dr|z3d
if you backoff for maybe 10m, you should be good. maybe less, but 10m is safe.
dr|z3d
definitely not 72h :)
RN
72 hours, until next restart.... both seem pretty long to me
RN
considering I usually only restart my routers on purpose when there is a release to apply
dr|z3d
as long as you know when to backoff and when to resume, then you can adjust requests accordingly.
RN
yes the 'until next restart' is referring to (the sybil thing) unrelated area of the code
RN
but
orignal
no 72 is always 72 hours
orignal
it's persisted in a file
RN
orignal, I was talking about two different examples of timout that to me seems longer than needed
RN
screw up a family key and get sybil banned till restart for all the routers that saw the broken key, or back off for 72 hours because the router failed 5 (rapidly?) sent requests
RN
both seem long to me
RN
just an opinion
RN
)
orignal
nobody happened to explain what hapenned to 2RRY yet
orignal
as usual here
RN
though if I remember correctly, they sybil one was only a therory and wasn't confirmed
dr|z3d
sybils bans are persistent.
dr|z3d
you set your own ban period.
dr|z3d
so after 5 rejections, you avoid the router for 72h?
dr|z3d
we did 2RRY a long time ago.
RN
if 2RRY is back to normal, then it was just a ghost in the matrix
dr|z3d
fucked family cert. end of discussion. move along please.
orignal
yes, is 5 rejection I bypass it for 72 hours maybe 24 don't remeber exact number
dr|z3d
you need to adjust that.
orignal
dr|z3d no, not end of discussion
orignal
I'm wondering WHY
dr|z3d
even 24h is ridiculous.
orignal
idk is 2RRY is normal now
dr|z3d
try 10m backoff. you'll be fine.
orignal
because the attack
orignal
const int PEER_PROFILE_EXPIRATION_TIMEOUT = 36*60*60; // in seconds (1.5 days)
orignal
36 hours
dr|z3d
that's just wrong.
RN
maybe backoff ten minutes, give that router a chance to de-congest, and next time it is ranbomly selected and fails 5 times then block for a longer time
dr|z3d
private static final int LIFETIME_PORTION = 3; // portion of the tunnel lifetime
dr|z3d
private static final int MIN_LIMIT = (isSlow ? 100 : 150) / LIFETIME_PORTION;
dr|z3d
private static final int MAX_LIMIT = (isSlow ? 1200 : 1800) / LIFETIME_PORTION;
dr|z3d
private static final int PERCENT_LIMIT = 15 / LIFETIME_PORTION;
dr|z3d
private static final long CLEAN_TIME = 11 * 60 * 1000 / LIFETIME_PORTION;
orignal
so, can someone here exaplain what caused so long banf because worng family key?
orignal
NOBODY
orignal
const int PEER_PROFILE_DECLINED_RECENTLY_INTERVAL = 150; // in seconds (2.5 minutes)
orignal
also I give up for 2.5 minutes if declined
dr|z3d
we've been here. cached RI data, new restart fixed.
orignal
it's not emough
dr|z3d
give it 10m.
orignal
I would like to have clear explanation
orignal
about worng family key
dr|z3d
you'll then find whatever was declining you, assuming java, with accept requests again.
dr|z3d
*will
orignal
because I consider it as another fuck off
orignal
nobody happened to explain
dr|z3d
you fucked your family key. maybe handling could be better, but that's the basic reason.
RN
make a new pair of routers, then mess up the family key on purpose, see what happens with them?
orignal
why 2RRY was banned untile next restart
orignal
NOBODY EVEN TRIED
RN
neither did you orignal
orignal
what for?
orignal
did what?
RN
set up a new router pair, test if the family key mess up breaks them
orignal
there is somthing in Java code
dr|z3d
10m, original. not 2.5m, not 1.5days. 10m.
orignal
1.5 days is livetime of a profile
dr|z3d
2.5 minutes isn't long enough to avoid being rejected in java land.
orignal
dr|z3d maybe I will change number
orignal
just need to look into that code
dr|z3d
technically clean time is 11m/3
orignal
again I can't tell what is the situation wuth 2RRY
orignal
because it becomes E too often
dr|z3d
after clean time has elapsed, any router that was requesting too many tunnels is forgotten about.
orignal
let me see what happens to 5 rejection in the row
RN
that is why I say set up another two, make them a family, set up same as 2rry, then add a third and mess up family key... then you can observe if the same thing happens or not
dr|z3d
if you want to got lower than 10m, no less than 4m. but 10m is a good round number.
orignal
RN and then?
RN
but don't put them in 2rry family
orignal
say I see the same problem
orignal
how will it help?
RN
then you have a reproducable issue
RN
you know there is something to investigate or not
orignal
and get one more fuck off ?
orignal
right now I can't
RN
¿ ?
dr|z3d
all in your mind, orignal :)