i2pd specific attack?

[diva-exchange]

Running i2pd v2.47.0 in a docker container, this one:

https://hub.docker.com/layers/divax/i2p/current/images/sha256-eb5561394b32b799768293432e752c5de46d23efaed19cccbb025529471a6b8b?context=explore

Results in:

Any feedback on this? Can diva.exchange help somehow to analyse the situation?

[Vort]

Any feedback on this?

Network is under attack right now.

Can diva.exchange help somehow to analyse the situation?

I think developers have enough information about this attack.
What users can do is to wait until developers create fixes for i2pd (most likely, for several days).

[twofaktor]

Bitcoin network was affected too!

[diva-exchange]

Note: i2pd v2.42.1 is not affected by the attack. One of the diva.exchange test networks is running on version v2.42.1 and it is doing fine.

[Vort]

Can you try to test 7c53515 with disabled SSU2?
Not that I have much hopes about it, but why not.

[VictorBurtsev]

Can you try to test 7c53515 with disabled SSU2? Not that I have much hopes about it, but why not.

Hi, i`am tested it on i2pd:latest docker image with ssu2.enable=false

[diva-exchange]

Hi, i`am tested it on i2pd:latest docker image with ssu2.enable=false

Tx! But: which docker image is it (link to hub.docker.com, if possible, please)? Are you sure that 7c53515 is compiled in this image?

[VictorBurtsev]

Hi, i`am tested it on i2pd:latest docker image with ssu2.enable=false

Tx! But: which docker image is it (link to hub.docker.com, if possible, please)? Are you sure that 7c53515 is compiled in this image?

Hi, tested on this image

[diva-exchange]

Hi, tested on this image

Thanks a lot! From Timestamp-perspective, seems like the latest commit is included in this image. We'll do some compiles on older versions (which are tagged) within the next hours/days to get a better understanding which older versions work (like v.2.45...).

[SidorKozlov]

Can you try to test 7c53515 with disabled SSU2? Not that I have much hopes about it, but why not.

[SidorKozlov]

Note: i2pd v2.42.1 is not affected by the attack. One of the diva.exchange test networks is running on version v2.42.1 and it is doing fine.

I can confirm 2.42.1 (SSU2 enabled again) works well even under high load (many SAM sessions).

[Vort]

Marker of successful attack is large amount of Floodfills in web console (> 2000).
Until this indicator goes away, problem cannot be said to be solved.

[schildbach]

My i2pd quit within the last 24h with error code 137 (out of memory), with this error message:

i2pd_1              | 15:11:10@352/error - SAM: Handshake read error: End of file

Is this a symptom of the attack?

[SidorKozlov]

My i2pd quit within the last 24h with error code 137 (out of memory), with this error message:

i2pd_1              | 15:11:10@352/error - SAM: Handshake read error: End of file

Is this a symptom of the attack?

It is.

[Vort]

I saw 700 MB of RAM usage for my node because of attack.

[SidorKozlov]

Mine went well over 100k routers and floodfills on an 128GB machine, didn't check usage but killed it, because there was no point.

[SidorKozlov]

Marker of successful attack is large amount of Floodfills in web console (> 2000). Until this indicator goes away, problem cannot be said to be solved.

I'm with you, it's not over @Vort

But I think it's worth to point out, that 2.42.1 resets router & floodfill count much more often, the numbers grow much more slowly with a considerably lower ratio of floodfills (before 4/5, now 1/3).

Overall it is able to maintain my tunnels and allows me to be operational, while the newest versions (including the latest commit) die down very quickly.

EDIT: The router count stays consistently 13k while the floodfill count stays around 2k, mostly under.

[ghost]

Extending the length of the exploration tunnel and reducing the mass to 6 hop 1 tunnel also seems to mitigate the attack
But to be honest the best way is to add the java version of sybil analysis and block list function

[LLE8]

Debian 11.6 x86_64
RAM 1024 MB without swap

i2pd version 2.47.0-36-g4ebc7c97 (0.9.58)
Boost version 1.74.0
OpenSSL 1.1.1n 15 Mar 2022
Uptime 17 d

i2pd.conf

nettime.frompeers = false
nat = false
bandwidth = X
notransit = false
floodfill = true
transittunnels = 16000

kern.log

Apr 30 18:39:44 vds111111 kernel: [4829385.045153] NetDB invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=0
 ****
Apr 30 18:39:44 vds111111 kernel: [4829385.045811] Tasks state (memory values in pages):
Apr 30 18:39:44 vds111111 kernel: [4829385.045812] [  pid  ]   uid  tgid total_vm      rss pgtables_bytes swapents oom_score_adj name
 ****
Apr 30 18:39:44 vds111111 kernel: [4829385.045834] [ 392881]   107 392881   368177   184528  1658880        0             0 i2pd
 ****
Apr 30 18:39:44 vds111111 kernel: [4829385.045924] Out of memory: Killed process 392881 (i2pd) total-vm:1472708kB, anon-rss:738112kB, file-rss:0kB, shmem-rss:0kB, UID:107 pgtables:1620kB oom_score_adj:0

[SidorKozlov]

Debian 11.6 x86_64 RAM 1024 MB without swap

i2pd version 2.47.0-36-g4ebc7c97 (0.9.58) Boost version 1.74.0 OpenSSL 1.1.1n 15 Mar 2022

i2pd.conf

nettime.frompeers = false
nat = false
bandwidth = X
notransit = false
floodfill = true
transittunnels = 16000

kern.log

Apr 30 18:39:44 vds111111 kernel: [4829385.045811] Tasks state (memory values in pages):
Apr 30 18:39:44 vds111111 kernel: [4829385.045812] [  pid  ]   uid  tgid total_vm      rss pgtables_bytes swapents oom_score_adj name
 ****
Apr 30 18:39:44 vds111111 kernel: [4829385.045834] [ 392881]   107 392881   368177   184528  1658880        0             0 i2pd
 ****
Apr 30 18:39:44 vds111111 kernel: [4829385.045924] Out of memory: Killed process 392881 (i2pd) total-vm:1472708kB, anon-rss:738112kB, file-rss:0kB, shmem-rss:0kB, UID:107 pgtables:1620kB oom_score_adj:0

This is expected considering the current situation.

[LLE8]

Less then 170 MB a few hours before

[SidorKozlov]

Less then 170 MB a few hours before

Same here, my SAM app went from tons of peers to zero within minutes.

[SidorKozlov]

Extending the length of the exploration tunnel and reducing the mass to 6 hop 1 tunnel also seems to mitigate the attack But to be honest the best way is to add the java version of sybil analysis and block list function

is the blocklist generated and held individually or is it shared?

EDIT: On first glance, seems to be simply hardcoded: https://github.com/i2p/i2p.i2p/blob/master/installer/resources/blocklist.txt

[Vort]

For blocking to work correctly, attack origin needs to be uncovered first.
No one was able to do this yet as far as I know.
Of course, it is possible to block all proxies, all Tor nodes, but it's a dirty solution.

[SidorKozlov]

Of course, it is possible to block all proxies, all Tor nodes, but it's a dirty solution.

Please not haha

I'm just brainstorming but I could imagine voting power measured by uptime being used as social proof when exchanging attack information, so that it's harder to be abused.

Or is it the attack identification on every router individually? Because @TpNYxtt11ox5TgZ mentioned that Java I2P would already have working analysis and Redditors report that everything is fine on Java I2P.

[jonatack]

Bitcoin network was affected too!

@twofaktor I have been seeing the same with i2pd 2.47.0 for the past couple days.

[twofaktor]

Bitcoin network was affected too!

@twofaktor I have been seeing the same with i2pd 2.47.0 for the past couple days.

Yes, I'm running the latest 2.47.0 too. Yesterday I noticed this altercation and last night it seems that it was solved in some of my nodes, in others the error continues to appear, and it seems that this problem has not yet been completely solved 😢

[SidorKozlov]

@jonatack @twofaktor is it possible for you to try version 2.42.1 in the meantime?

[jonatack]

@SidorKozlov I had some initial issues with building 2.42.1 and temporarily re-established connections over the I2P network for my bitcoin nodes by switching to the Java router. Will try again to test 2.42.1 (and any new i2pd release asap).

[VictorBurtsev]

I am try version 2.42.1
git clone https://github.com/PurpleI2P/i2pd.git
cd i2pd/contrib/docker/
docker build --build-arg GIT_TAG=2.42.1 -t vlburtsev/i2pd:release-2.42.1 .
docker push vlburtsev/i2pd:release-2.42.1

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
3eceec83f220 i2pd-1 21.63% 99.74MiB / 256MiB 38.96% 4.09GB / 5GB 100MB / 1.28GB 15

[schildbach]

Without me having changed i2pd version, I2P connections have recently begun to slowly recover.

[Vort]

Looks like attack is stopped for now.

[twofaktor]

Parece que el ataque está detenido por ahora.

Yeah, I saw that all come back to normal