node
node copied to clipboard
mysteriumnetwork
Critical Bug! Node Runner can consume tokens of client
About Bug: Node runners can waste Myst tokens and bandwidth of client connected. Basically node runner can setup a script to ping large amount to connected device.
How to perform: 1.If node is running in Linux/ Raspberry Pi, Run below command in terminal
Example: ping 10.182.0.2 -s 64000
Here 10.182.0.2 is the IP address of client connected to node. Most of the cases it will be 10.182.0.2 or 10.182.1.2.
By running above command the client will be charged for the bandwidth which is actually not used by client it self. The problem is that ping requests are being charged.
Bad Node Runners can use this method to increase their earnings and this will abuse network usage. I have added link to watch demo video https://youtu.be/YZ-H0gqjqfU
The attack can actually be improved by using the -f flag as root(flooding, aka it just spams out icmp requests without waiting for response) or -i with a very low value, 0.01 for example. There actually are a few options to generate bandwith that the client is being charged for. I had detected that possibility a while ago, however it seems to be a technical issue, so I didnt report on it(as it cannot be fixed, really). One idea of fixing was to route all traffic from the client through a transparent socks proxy like tor does. this would allow very specific firewall rules to block traffic originating from the client. This attack can also be automated(I setup a testing node for this purpose under: 0x2409fc827afa37b9f63b3eb8237be11631bc9b75) which you can connect to. It will periodically scan for mysterium connections, perform a host scan and then decide on how to most elegantly insert traffic. Feel free to use this node for testing, however dont use it for production. the scripts used for this can be obtained from me by myst admins, AND NO ONE ELSE, SO DONT ASK ME. I have been testing with this for about 2 months now, trying to find a solution for the problem.
As an addendum, which is even worse - A malicious node running on a residential ip actually has a way worse way of manipulating the connection. An additional client can be injected into the wireguard tunnel(aka added to the interface using wg addconf). Such an injected peer could run on the local network or a virtual machine inside the nodes host. As soon as a client is manually injected into the interface, nodeUI will stop reporting traffic in realtime, however all traffic going through that peer will still be counted towards the connection(and will be updated if the client is removed from the wireguard interface before the vpn consumer disconnects) and settled after the injected client is removed. Given that this only makes sense on a residential node, where internal traffic is free and fast, this is a more extreme case but nonetheless possible to do.
however all traffic going through that peer will still be counted towards the connection(and will be updated if the client is removed from the wireguard interface before the vpn consumer disconnects) and settled after the injected client is removed.
AFAIK consumer will not pay for invoice if expected amount differs too much
Interesting finding....pretty well thought. I think this is SUPER urgent to get fixed.
@Snawoot AFAIK consumer will not pay for invoice if expected amount differs too much
Unfortunately this never happens, a provider can drain full MYST anytime.
@adinetech has just informed us in support channel he has tested it with the permission of the consumer. He's able to use his bandwidth and make MYST.
It was discussed internally and agreed to proceed with solution preventing such providers from abusive behaviour. Exact measures won't be disclosed for security reasons. Changes will be implemented in the near future.
