👮 major
irc2p
#i2p-dev #i2pd-dev #ls2 #saltr
ilita
#4rum #acetonevideo #dev #retroshare #torrent #video2p
IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2026/04/29
@RN
@ReturningNovice
@StormyCloud
@T3s|4
@T3s|4_
@orignal
@postman
@zzz
%acetone
%mareki2p
%snex
+Atticfire
+FreefallHeavens
+Onn4l7h
+Onn4|7h
+Over
+fa
+marek22k
+onon_
+poriori
+profetikla
+qend-irc2p
+r00tobo
+sexy
+uberius
+uop23ip
Arch
Danny
Irc2PGuest21708
Irc2PGuest28384
Irc2PGuest66257
Irc2PGuest75631
Irc2PGuest99986
RTP_
U1F642
Watson
ahiru
anontor
cims
i2potus
interesting
justaperson
lokzz
luvme
mahlay
makoto
n2_
nilbog
not_bob_afk
pinotto
r00tobo[2]
rednode
user_ygg2__
zzz dr|z3d, where are you doing the blocking? in netdb DSM handler? or transports or tunnels?
dr|z3d for LU?
zzz yes
dr|z3d mostly KNDF, but also RequestThrottler, TranisentDataStore, PersistentDataStore, and with a scheduled cleanup job.
dr|z3d are you tending towards the same LU blocking policy?
dr|z3d if you 'git grep "LU Router"' in the + source, you'll see all the places.
zzz researching only for now
zzz are you letting them connect in? or ban-and-drop in the inbound transports?
dr|z3d get the IP and RI, then instant ban. I don't think we're allowing a full handshake.
dr|z3d in KNDF:
dr|z3d /**
dr|z3d * Ban LU (low bandwidth) routers unconditionally for 1 hour.
dr|z3d * These routers flood the network with no meaningful bandwidth contribution.
dr|z3d * @since 0.9.67+
dr|z3d */
dr|z3d private boolean checkLU(RouterInfo routerInfo, String caps, String routerId, Hash h) {
dr|z3d if (caps == null) return false;
dr|z3d boolean isLowTier = caps.indexOf(Router.CAPABILITY_BW12) >= 0 ||
dr|z3d caps.indexOf(Router.CAPABILITY_BW32) >= 0;
dr|z3d boolean isUnreachable = caps.indexOf('U') >= 0 || caps.indexOf('R') < 0;
dr|z3d if (isLowTier && isUnreachable) {
dr|z3d if (!_context.banlist().isBanlisted(h)) {
dr|z3d String ipPort = getRouterIPPort(routerInfo);
dr|z3d _log.warn("Banning Router [" + routerId + "] -> LU Router");
dr|z3d _banLogger.logBan(h, ipPort, "LU Router", 60*60*1000L);
dr|z3d _context.banlist().banlistRouter(h, "LU Router", null, null, _context.clock().now() + 60*60*1000);
dr|z3d }
dr|z3d return true;
dr|z3d }
dr|z3d return false;
dr|z3d }
dr|z3d I redid the ban page, so where possibly, we now have a direct ip, hash, port, country flag etc for banned routers, the previous version was a bit sparse in various places.
dr|z3d we also have category counters for ban reasons, with toggles, which allows you to filter just the category or categories of bans you want to review.
dr|z3d that also helps when the active bans gets a bit unruly, size-wise. any category with > 500 entries is toggled off by default when the page loads, which helps with browser jank, though the initial load can still take some time.
zzz hmm. but does that get back to the transports InboundEstablish for immediate drop, or does it just ban it so it cant come back in next time?
zzz bwcause we do the ban check before the netdb store
zzz can you look and see if you have inbound LU conns?
dr|z3d LU inbounds on SSU show up for around 3s or so, then get immediately banned.
dr|z3d NetDb search returns: No routers with Caps LU found in the network database.
nyaa2pguy what's the latest opinions/viewpoints on tor node bans on routers? i know orignal doesn't agree with them
nyaa2pguy ignoring the fact those would probably be all LU
dr|z3d once they're banned, they're pretty quickly given marching orders and the disappear from the UI. I don't think I wait 10m to disconnect iirc.
dr|z3d routing i2p traffic over tor a) introduces unwanted latency and b) is heavily abused by attackers. hence the ban.
nyaa2pguy was thinking maybe hybrid approach could work: tor is allowed on normal days, but if there's too much, they all get banned or capped to certain % of total connections
zzz but I don't think a ban causes a disconnect, at least it doesn't over here
zzz dr|z3d, the fleet seems to be new or upgraded all 0.9.68, which is annoying, is that what you're seeing?
zzz and checkLU() returns true if LU, but when called from KNDF.validate(), validate() returns null (i.e. valid) if checkLU() is true, bypassing all other checks, so I'm not yet buying what you're selling, it looks backwards
zzz to me it looks mainly like a conn limit issue, secondarily a netdb size issue.
zzz gah
zzz but I don't think a ban causes a disconnect, at least it doesn't over here
zzz dr|z3d, the fleet seems to be new or upgraded all 0.9.68, which is annoying, is that what you're seeing?
zzz and checkLU() returns true if LU, but when called from KNDF.validate(), validate() returns null (i.e. valid) if checkLU() is true, bypassing all other checks, so I'm not yet buying what you're selling, it looks backwards
zzz to me it looks mainly like a conn limit issue, secondarily a netdb size issue.
zzz but your checkLU() looks worse than useless
dr|z3d fixing my ban logging, not seeing version strings right now, probably a regression, was working before.
nyaa2pguy does "optimize for multihoming" do anything other than not bundle current leaseset in outbound messages
dr|z3d you mean it *does* bundle the leaseset.. no, that's all it does afaik.
nyaa2pguy ahh okay
orignal nyaa2pguy don't start another endless diescussion ))
orignal because these guys don't listen
orignal about LU
orignal new i2pd sets O or P by dfault if Intel CPU
orignal that's why less L routers
dr|z3d let me look into that, zzz, thanks.
dr|z3d no, not less LU, orignal, there's an entire botnet built with LU which is what we're discussing.
orignal right, I'm just letting you know
orignal that a new botnet most likely will be nit LU
dr|z3d confirmed, zzz, mostly 0.9.68
dr|z3d also, LU blocking fixed, thanks for reporting.
zzz and checkXG() and isBanlisted() and checkCountryBlocking()
zzz so my ff is slammed to conn limits and struggling to stay under 9000 known RIs, 7000 bans. you have a ff doing any better?
orignal why do you need to stay under 9K?
nyaa2pguy is there a general recommended netdb size
nyaa2pguy my c# router is at 29k
nyaa2pguy it was briefly at 31k
nyaa2pguy 42.5 MB file size (all RI in single file)
zzz orignal, there's no hard limit, but our target is 4K, and prior to this new batch of LUs my ff would run 5-6K
orignal well if you are a FF you can't make it less than 1 hour, but some Ls
zzz dr|z3d, by what metric are you rating the harm of this fleet, or success if any of your mitigations?
zzz orignal, most of them are out-of-keyspace, I'm early-expiring about 150/minute of them
dr|z3d as a general rule, zzz, I don't expect to see more L class routers in my netdb than the sum of, say, P and X.
zzz dr|z3d, for a ff or non-ff?
orignal yes, I know I do it too
dr|z3d as a ff, zzz.
orignal L router not from my keyspace
orignal but still have like 15K
zzz dr|z3d, are you seeing conn limit issues from the LUs?
dr|z3d zzz, no.
dr|z3d not now they're all banned.
zzz my non-ffs are all happy as clams
zzz obv I can't ban all the LUs like you are. But haven't seen any real bad behavior to trigger on, they're just chatty?
dr|z3d the other metric I use as a rough guide is total number of known routers. if it ramps much above 6K, that's generally a sign something dodgy this way comes.
zzz yup, and by that metric my ff is not happy
dr|z3d yeah, rough guess is around 20K of them, hence the ban. ban now, worry later.
orignal what's wrong with LU in gerenal?
orignal usually it's just android
zzz nothing
orignal them why do you want to ban android routers?
orignal just because they are LU
dr|z3d nothing to do with android, orignal. everything to do with a huge LU botnet.
orignal and you also want to ban all android routers
orignal great idea
orignal even better than banning Tor
dr|z3d assuming all android routers are LU, which isn't a given, they're collateral damage right now. zzz isn't proposing to ban them all, in any event.
orignal most likely yes, i2pd andorid routers are LU
orignal 'L' because it's default for non-Intel cpu
orignal 'U' because mobile network
orignal how come I don't see ANY damage?
orignal Tunnel creation success rate: 75%
dr|z3d floodfill?
zzz nothing
orignal no
zzz LU 0.9.68 is < 2% of my connections on a non-ff, 18% on a ff
orignal Tunnel creation success rate: 55%
orignal that's floodfill
zzz I don't see any bad tunnel or netdb abuse, they're only clogging up my ff connection slots. Unless dr|z3d has some other indicators of badness
orignal you mean too many transports or what?
dr|z3d no evidence of bad behavior, no, just a shit ton of crap.
orignal NTCP2 ( 2283 )
orignal SSU2 ( 2934
zzz LU isn't crap, but if everybody is LU it's crap
dr|z3d right.
orignal SSU2v6 ( 577 )
dr|z3d crap being the assumption 20K LU routers are a botnet, not the LU caps per se.
orignal NTCP2v6 ( 503 )
orignal not too much
orignal seems you are trying to ctatch a black cat in a dark room
orignal as I said you should see more OU and PU
zzz the only thing I can think of is reduce my idle timeout to drop the connections quicker
orignal can we intriduce a flag saying that connection is for publishing/lookup only?
orignal I remeber we have something in SessionConfirmed
zzz you proposed something similar before, let me look it up
orignal or in RI block
zzz don't have it on my list, but iirc the idea was a out-of-session netdb store
orignal no I didn't
orignal my current idea
zzz kinda like a peer test, just here's my RI, see yah
zzz fuzzy memory though
orignal Alice sends SessionConfirmed and closes the session
orignal and an advesary can flood you with tons of shit
orignal wihtout full authntication