Polkadot binary can't stop looking for peers #3721
Comments
|
CC @mxinden |
|
Thanks for the detailed report @derfredy. From the top of my head we might still be doing the Kademlia random walk to discover new nodes even though it should be disabled.
On a side note I would suggest the validator to not even have a publicly routable IP address. |
|
@mxinden |
@mxinden disabled by whom? the node's operator? @derfredy have you tried using substrate/client/cli/src/params/network_params.rs Lines 43 to 52 in ed82c87 |
|
We don't have sentries anymore, so this issue is not valid anymore. |
The case:
You have a validator behind 2 or more sentries. You want your validator public IP not to be disclosed. So you tunnel your connections with a VPN between your validator and your sentries. You also tell your daemon to specifically connect just to your sentries with a systemd service in which you declare your --reserved-nodes . You also use --no-mdns and --no-telemetry flags in order to keep things under control.
Everything seems ok. Your validator connects to your sentries and gets synced.
The log of your daemon shows that you are connected to just your sentries, cool!!
Sep 30 08:22:26 kusama-valid polkadot[15345]: 2019-09-30 08:22:26 Idle (3 peers), best: #55808 (0x8c7d…8c60), finalized #55739 (0xd0d7…5b7e),
⬇ 0.3kiB/s ⬆ 0.3kiB/s
But if you have a look to the list of ipv4 connections using "netstat" you see a bunch of non desired connections to many nodes of the network.
Then you decide to mitigate this with firewall output rules to avoid the promiscuity of your daemon. The result is a bunch of SYN_SENT packets trying to connect other peers.
This are desired connections:
kusama-valid:~$ netstat -untapo | grep ESTABLISHED
tcp 0 0 10.10.0.2:44470 10.10.0.5:30333 ESTABLISHED 15345/polkadot off (0.00/0/0)
tcp 0 0 10.10.0.2:45312 10.10.0.3:30333 ESTABLISHED 15345/polkadot off (0.00/0/0)
tcp 0 0 10.10.0.2:57122 10.10.0.1:30333 ESTABLISHED 15345/polkadot off (0.00/0/0)
But if you don't filter by ESTABLISHED what you see is pretty weird:
tcp 0 0 10.10.0.2:30333 0.0.0.0:* LISTEN 15345/polkadot off (0.00/0/0)
tcp 0 1 XXX.XX.XX.XX:39502 51.77.66.187:30333 SYN_SENT 15345/polkadot on (0.77/1/0)
tcp 0 0 10.10.0.2:44470 10.10.0.5:30333 ESTABLISHED 15345/polkadot off (0.00/0/0)
tcp 0 1 XXX.XX.XX.XX:48214 10.244.1.4:20222 SYN_SENT 15345/polkadot on (0.77/1/0)
tcp 0 1 XXX.XX.XX.XX:41746 40.70.31.247:30333 SYN_SENT 15345/polkadot on (0.77/1/0)
tcp 0 1 XXX.XX.XX.XX:44262 119.254.81.66:31337 SYN_SENT 15345/polkadot on (1.35/1/0)
tcp 0 1 XXX.XX.XX.XX:56352 35.176.144.121:30100 SYN_SENT 15345/polkadot on (0.77/1/0)
tcp 0 1 XXX.XX.XX.XX:44756 54.202.251.142:30333 SYN_SENT 15345/polkadot on (3.00/3/0)
tcp 0 1 XXX.XX.XX.XX:40212 10.12.2.10:30333 SYN_SENT 15345/polkadot on (1.35/1/0)
tcp 0 1 XXX.XX.XX.XX:52010 139.162.154.213:30333 SYN_SENT 15345/polkadot on (1.48/1/0)
[...]
I have cut the log because it extends too much
SYN_SENT packages are not replied back with an ACK just because the firewall is blocking it.
As soon as you disable the firewall, connections get ESTABLISHED but your daemon logs keeps lying and tells you that you still have 3 peers.
The issue here is that anyone sniffing the traffic and just filtering SYN packages will know your IP.
Filtering output packages is just a dirty solution that mitigates the effects.
Please, to whom it may concern, do not hesitate to ask me more info if needed. I think this gossiping behavior could have strong security implications.
The text was updated successfully, but these errors were encountered: