Another DoS?

[SilmorSenedlen]

Good day Just noticed an abnormally high transit traffic through my node: ~ 25 MiB/s / ~35k PPS

Usually transit is about 4-6 MiB/s, and occasionally reached up to 10 MiB/s (not counting other DoS).

Strangely, there is no abnormally large number of floodfills and/or increase in memory consumption (consumption frozen at devilish 666 MiB xD ), like in past DoS attacks.

Apparently, this has been going on for about half a day, so, in my opinion, it does not look like an episodic increase in transit.

Any thoughts ?

[LLE8]

2.53.1 and 2.54.0, both on Debian 11 There are the similar recent changes in performance characteristics, but less memory consumption, about 299000 KB after 83 d 22 h uptime and 237000 KB after 16 d 21 h uptime.

[Vort]

You are right, network is under attack.

1. Several days ago unusually high amount of routers from China was added. Probably, this is where attack originates from;
2. Right now attack consists only from abnormally high transit traffic.

(https://i2p-metrics.np-tokumei.net/router-distribution)

[LLE8]

I2PD 2.53.1 and 2.54.0, on relatively inexpensive VDS, http://flibusta.i2p/ is available, it seems the DoS is not fully effective yet.

[Vort]

it seems the DoS is not fully effective yet

High traffic comes in spikes. When there are no spike, data can flow as usual (almost).

Here is CPU load chart for my router (which is highly correlated with attack traffic):

[LLE8]

Tunnel creation success rate is too low, about 6-8%, compared to normal operation not under attack about 15-20%

[Vort]

Tunnel creation success rate is too low, about 6-8%, compared to normal operation not under attack about 15-20%

Attacker can do something else besides high traffic, but it is unclear what exactly. TCSR started decreasing right after extra routers were added to the network (before attack with high transit was started).

[mittwerk]

@Vort Can you just ban the new Chinese routers?

[Vort]

@Vort Can you just ban the new Chinese routers?

It won't have much effect. My router have no direct connections to their routers (I think they banned me long time ago with Great Firewall). But transit traffic goes through lots of other random nodes and nothing can be done with it.

[LLE8]

What are these "new Chinese routers" doing illegal? Are there any formal reasons for ban? They are simply using the i2p network as it intended, i think.

[orignal]

They malfunction. They declare themselves as floodfills, but don't serve as floodfiils.

[LLE8]

I2PD process killed by OOM-killer as a result of the attack.

[Vort]

I2PD process killed by OOM-killer as a result of the attack.

My node on version 2.54.0-61-g0086f8e2 uses 192 MB of RAM right now, despite high transit traffic of attack. I think RAM consumption is ok.

[LLE8]

May be uptime is too short.

[SilmorSenedlen]

I2PD process killed by OOM-killer as a result of the attack.

Over past time of constant load(~6-18 MiB/s), memory consumption on my node increased only by ~ 40 MiB.

[orignal]

Are you a floodfill?

[SilmorSenedlen]

Are you a floodfill?

Yep

ipv4 = true
ipv6 = true
bandwidth = X
share = 100
notransit = false
transittunnels = 200000
floodfill = true

[SilmorSenedlen]

Another significant spike:

Now with much more transit tunnel count.

Probably will have to lower bandwidth of node to not to clog channel with that parasitic traffic -_-

[Vort]

Interestingly, yesterday it was possible to observe network state without attack: On my node, TCSR was 30%. Today it is lowered to 12%.

Now with much more transit tunnel count.

Do you know that transit tunnel count depends on TCSR value? Twice lower TCSR means twice higher tunnel count. I think high count in this case means just overload state of network.

[SilmorSenedlen]

Interestingly, yesterday it was possible to observe network state without attack

Yeah, bw had deceased on my node to 2-4 MiB, almost all day.

Do you know that transit tunnel count depends on TCSR value?

No, I didn't know that.

I think high count in this case means just overload state of network.

Very sad : /

[Vort]

No, I didn't know that.

Failed transit tunnels are still tracked as alive, because transit node can't check if they are fine.

[LLE8]

Over past time of constant load(~6-18 MiB/s), memory consumption on my node increased only by ~ 40 MiB.

fresh trunk i2pd version 2.54.0-64-g4432c5a2 (0.9.64) Uptime 2 d 10 h Mem ~ 250000 kB

ADD1: Uptime 8 d 8 h Mem ~ 280000 kB

[LLE8]

Is the attack paused?

[SilmorSenedlen]

Is the attack paused?

At least, transit volume has decreased significantly and corresponds to ~ values of previous months.

[G2G2G2G]

@Vort

It won't have much effect. My router have no direct connections to their routers (I think they banned me long time ago with Great Firewall). But transit traffic goes through lots of other random nodes and nothing can be done with it.

The monero nodes almost all run a shared blocklist we've put together for years now to block bad actors doing random junk that just hurts the overall network. May be of interest to add something of the sort in for all of i2p network and allow people to "enable/disable" this list (if there are more abuses of course)

[Vort]

Java I2P already made such list: https://github.com/i2p/i2p.i2p/blob/master/installer/resources/blocklist.txt

But such tool gives too much power to people who manage such list, so I believe that's why i2pd have no blocklists.

[Scott169]

What are these "new Chinese routers" doing illegal? Are there any formal reasons for ban? They are simply using the i2p network as it intended, i think.

The malicious routers have some common characteristics:

1. Same router version, but not the latest
2. Set as floodfill (Xf)
3. IP addresses are belong to hosting (tencent cloud, aliyun)