[bisq-network/proposals] Using PoW for the P2P network messages as dos protection (#268)

[chimp1984]

> _This is a Bisq Network proposal. Please familiarize yourself with the [submission and review process](https://docs.bisq.network/proposals.html)._

<!-- Please do not remove the text above. -->

Our P2P network is vulnerable to dos attacks like all permissionless, open networks. We have some basic protection in place but I doubt they would help much in case the network gets attacked.

One potential solution might be a proof of work scheme. Another one to use some sort of anonymous credentials.

The idea is longer around but I just stumbled over a discussion at the Tor mailinglist [[1](https://lists.torproject.org/pipermail/tor-dev/2020-April/014215.html)] about using proof of work for dos protection [[2](https://github.com/tevador/torspec/blob/2424e7d16772a1b13d1f9288c5b7fd0656363836/proposals/ideas/xxx-pow-over-intro-v1)], so I got motivated to re-think that approach.

## High level idea
Every node signals the level of load it has and this is an indicator for the required proof of work other nodes need to fulfill if they send a message to that node. The difficulty is a function of the message type and the nodes network load. In normal operation the diffuclty would be that low that there is no performance degradation. Only in attack scenarios once a node gets under heavy load it will become more expensive to send messages to that node and so increases the costs for the attacker. The motivated user still can access the attacked node but it will require more time and resources as usual.

The hash function should be choosen so that it is GPU and ASIC resistant (at least hard to optimize for). It should not use any hash function used in popular blockchains and it should be memory-hard. 

There is still the open question how to do the first contact to find out the peers network load indicator. We could allow a very lightweight message to be used for that with the exception to not need pow or have a default level of pow which is cheap enough for normal users to not cause performance degredation but which would sum up if an attacker wants to use that on a larger scale. Persisting node addresses of past connections and using that for the decision if a new connection without pow is accepted or not might be another option. 

Another open issue is how to ensure pow is not re-used. A challenge-response pattern can be used as we have a request-response model or continuous hand-shakes. The first message can be used to deliver a nonce which need to be part of the pow solution.

## Additional protection
The discussion at [2]  concludes that the pow protection will only work against script kiddy and medium size bot net attacks (cost about 400 USD) but not against large botnet attacks (cost about 34k USD). It also causes problems for users on low-end hardware like mobile phones. We should keep in mind the mobile user even we do not have a mobile trading app yet. 
To mitigate both the large botnet attack scenario as well as to offer low-end hardware users an option, the paper [2] discusses models for anonymous credentials. I have not looked further into those models but I think we should consider that as well. Bisq might have already some sort of tokens (account age, BSQ) which maybe could be used in that context.
 

[1] https://lists.torproject.org/pipermail/tor-dev/2020-April/014215.html
[2] https://github.com/tevador/torspec/blob/2424e7d16772a1b13d1f9288c5b7fd0656363836/proposals/ideas/xxx-pow-over-intro-v1

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/268
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20201019/34cb0a26/attachment.html>