Merge pull request #1451 from karalabe/handle-potential-TD-forge-attack

eth/downloader: drop peer if advertised TD but won't delvier
This commit is contained in:
Jeffrey Wilcke 2015-07-09 07:23:50 -07:00
commit 4c62ce831b
2 changed files with 45 additions and 100 deletions

@ -804,6 +804,8 @@ func (d *Downloader) fetchHashes(p *peer, from uint64) error {
}
// Start pulling hashes, until all are exhausted
getHashes(from)
gotHashes := false
for {
select {
case <-d.cancelCh:
@ -825,8 +827,14 @@ func (d *Downloader) fetchHashes(p *peer, from uint64) error {
case d.processCh <- false:
case <-d.cancelCh:
}
// Error out if no hashes were retrieved at all
if !gotHashes {
return errStallingPeer
}
return nil
}
gotHashes = true
// Otherwise insert all the new hashes, aborting in case of junk
glog.V(logger.Detail).Infof("%v: inserting %d hashes from #%d", p, len(hashPack.hashes), from)

@ -272,7 +272,7 @@ func TestSynchronisation60(t *testing.T) {
// Tests that simple synchronization against a canonical chain works correctly.
// In this test common ancestor lookup should be short circuited and not require
// binary searching.
func TestCanonicalSynchronisation(t *testing.T) {
func TestCanonicalSynchronisation61(t *testing.T) {
// Create a small enough block chain to download
targetBlocks := blockCacheLimit - 15
hashes, blocks := makeChain(targetBlocks, 0, genesis)
@ -291,69 +291,16 @@ func TestCanonicalSynchronisation(t *testing.T) {
// Tests that if a large batch of blocks are being downloaded, it is throttled
// until the cached blocks are retrieved.
func TestThrottling60(t *testing.T) {
func TestThrottling60(t *testing.T) { testThrottling(t, eth60) }
func TestThrottling61(t *testing.T) { testThrottling(t, eth61) }
func testThrottling(t *testing.T, protocol int) {
// Create a long block chain to download and the tester
targetBlocks := 8 * blockCacheLimit
hashes, blocks := makeChain(targetBlocks, 0, genesis)
tester := newTester()
tester.newPeer("peer", eth60, hashes, blocks)
// Wrap the importer to allow stepping
done := make(chan int)
tester.downloader.insertChain = func(blocks types.Blocks) (int, error) {
n, err := tester.insertChain(blocks)
done <- n
return n, err
}
// Start a synchronisation concurrently
errc := make(chan error)
go func() {
errc <- tester.sync("peer")
}()
// Iteratively take some blocks, always checking the retrieval count
for len(tester.ownBlocks) < targetBlocks+1 {
// Wait a bit for sync to throttle itself
var cached int
for start := time.Now(); time.Since(start) < 3*time.Second; {
time.Sleep(25 * time.Millisecond)
cached = len(tester.downloader.queue.blockPool)
if cached == blockCacheLimit || len(tester.ownBlocks)+cached == targetBlocks+1 {
break
}
}
// Make sure we filled up the cache, then exhaust it
time.Sleep(25 * time.Millisecond) // give it a chance to screw up
if cached != blockCacheLimit && len(tester.ownBlocks)+cached < targetBlocks+1 {
t.Fatalf("block count mismatch: have %v, want %v", cached, blockCacheLimit)
}
<-done // finish previous blocking import
for cached > maxBlockProcess {
cached -= <-done
}
time.Sleep(25 * time.Millisecond) // yield to the insertion
}
<-done // finish the last blocking import
// Check that we haven't pulled more blocks than available
if len(tester.ownBlocks) > targetBlocks+1 {
t.Fatalf("target block count mismatch: have %v, want %v", len(tester.ownBlocks), targetBlocks+1)
}
if err := <-errc; err != nil {
t.Fatalf("block synchronization failed: %v", err)
}
}
// Tests that if a large batch of blocks are being downloaded, it is throttled
// until the cached blocks are retrieved.
func TestThrottling(t *testing.T) {
// Create a long block chain to download and the tester
targetBlocks := 8 * blockCacheLimit
hashes, blocks := makeChain(targetBlocks, 0, genesis)
tester := newTester()
tester.newPeer("peer", eth61, hashes, blocks)
tester.newPeer("peer", protocol, hashes, blocks)
// Wrap the importer to allow stepping
done := make(chan int)
@ -404,7 +351,7 @@ func TestThrottling(t *testing.T) {
// Tests that simple synchronization against a forked chain works correctly. In
// this test common ancestor lookup should *not* be short circuited, and a full
// binary search should be executed.
func TestForkedSynchronisation(t *testing.T) {
func TestForkedSynchronisation61(t *testing.T) {
// Create a long enough forked chain
common, fork := MaxHashFetch, 2*MaxHashFetch
hashesA, hashesB, blocksA, blocksB := makeChainFork(common+fork, fork, genesis)
@ -443,33 +390,10 @@ func TestInactiveDownloader(t *testing.T) {
}
// Tests that a canceled download wipes all previously accumulated state.
func TestCancel60(t *testing.T) {
// Create a small enough block chain to download and the tester
targetBlocks := blockCacheLimit - 15
hashes, blocks := makeChain(targetBlocks, 0, genesis)
func TestCancel60(t *testing.T) { testCancel(t, eth60) }
func TestCancel61(t *testing.T) { testCancel(t, eth61) }
tester := newTester()
tester.newPeer("peer", eth60, hashes, blocks)
// Make sure canceling works with a pristine downloader
tester.downloader.cancel()
hashCount, blockCount := tester.downloader.queue.Size()
if hashCount > 0 || blockCount > 0 {
t.Errorf("block or hash count mismatch: %d hashes, %d blocks, want 0", hashCount, blockCount)
}
// Synchronise with the peer, but cancel afterwards
if err := tester.sync("peer"); err != nil {
t.Fatalf("failed to synchronise blocks: %v", err)
}
tester.downloader.cancel()
hashCount, blockCount = tester.downloader.queue.Size()
if hashCount > 0 || blockCount > 0 {
t.Errorf("block or hash count mismatch: %d hashes, %d blocks, want 0", hashCount, blockCount)
}
}
// Tests that a canceled download wipes all previously accumulated state.
func TestCancel(t *testing.T) {
func testCancel(t *testing.T, protocol int) {
// Create a small enough block chain to download and the tester
targetBlocks := blockCacheLimit - 15
if targetBlocks >= MaxHashFetch {
@ -478,7 +402,7 @@ func TestCancel(t *testing.T) {
hashes, blocks := makeChain(targetBlocks, 0, genesis)
tester := newTester()
tester.newPeer("peer", eth61, hashes, blocks)
tester.newPeer("peer", protocol, hashes, blocks)
// Make sure canceling works with a pristine downloader
tester.downloader.cancel()
@ -498,7 +422,10 @@ func TestCancel(t *testing.T) {
}
// Tests that synchronisation from multiple peers works as intended (multi thread sanity test).
func TestMultiSynchronisation(t *testing.T) {
func TestMultiSynchronisation60(t *testing.T) { testMultiSynchronisation(t, eth60) }
func TestMultiSynchronisation61(t *testing.T) { testMultiSynchronisation(t, eth61) }
func testMultiSynchronisation(t *testing.T, protocol int) {
// Create various peers with various parts of the chain
targetPeers := 16
targetBlocks := targetPeers*blockCacheLimit - 15
@ -507,7 +434,7 @@ func TestMultiSynchronisation(t *testing.T) {
tester := newTester()
for i := 0; i < targetPeers; i++ {
id := fmt.Sprintf("peer #%d", i)
tester.newPeer(id, eth60, hashes[i*blockCacheLimit:], blocks)
tester.newPeer(id, protocol, hashes[i*blockCacheLimit:], blocks)
}
// Synchronise with the middle peer and make sure half of the blocks were retrieved
id := fmt.Sprintf("peer #%d", targetPeers/2)
@ -528,7 +455,7 @@ func TestMultiSynchronisation(t *testing.T) {
// Tests that synchronising with a peer who's very slow at network IO does not
// stall the other peers in the system.
func TestSlowSynchronisation(t *testing.T) {
func TestSlowSynchronisation60(t *testing.T) {
tester := newTester()
// Create a batch of blocks, with a slow and a full speed peer
@ -557,7 +484,7 @@ func TestSlowSynchronisation(t *testing.T) {
// Tests that if a peer returns an invalid chain with a block pointing to a non-
// existing parent, it is correctly detected and handled.
func TestNonExistingParentAttack(t *testing.T) {
func TestNonExistingParentAttack60(t *testing.T) {
tester := newTester()
// Forge a single-link chain with a forged header
@ -587,7 +514,7 @@ func TestNonExistingParentAttack(t *testing.T) {
// Tests that if a malicious peers keeps sending us repeating hashes, we don't
// loop indefinitely.
func TestRepeatingHashAttack(t *testing.T) { // TODO: Is this thing valid??
func TestRepeatingHashAttack60(t *testing.T) { // TODO: Is this thing valid??
tester := newTester()
// Create a valid chain, but drop the last link
@ -617,7 +544,7 @@ func TestRepeatingHashAttack(t *testing.T) { // TODO: Is this thing valid??
// Tests that if a malicious peers returns a non-existent block hash, it should
// eventually time out and the sync reattempted.
func TestNonExistingBlockAttack(t *testing.T) {
func TestNonExistingBlockAttack60(t *testing.T) {
tester := newTester()
// Create a valid chain, but forge the last link
@ -639,7 +566,7 @@ func TestNonExistingBlockAttack(t *testing.T) {
// Tests that if a malicious peer is returning hashes in a weird order, that the
// sync throttler doesn't choke on them waiting for the valid blocks.
func TestInvalidHashOrderAttack(t *testing.T) {
func TestInvalidHashOrderAttack60(t *testing.T) {
tester := newTester()
// Create a valid long chain, but reverse some hashes within
@ -667,7 +594,7 @@ func TestInvalidHashOrderAttack(t *testing.T) {
// Tests that if a malicious peer makes up a random hash chain and tries to push
// indefinitely, it actually gets caught with it.
func TestMadeupHashChainAttack(t *testing.T) {
func TestMadeupHashChainAttack60(t *testing.T) {
tester := newTester()
blockSoftTTL = 100 * time.Millisecond
crossCheckCycle = 25 * time.Millisecond
@ -697,7 +624,7 @@ func TestMadeupHashChainAttack(t *testing.T) {
// indefinitely, one hash at a time, it actually gets caught with it. The reason
// this is separate from the classical made up chain attack is that sending hashes
// one by one prevents reliable block/parent verification.
func TestMadeupHashChainDrippingAttack(t *testing.T) {
func TestMadeupHashChainDrippingAttack60(t *testing.T) {
// Create a random chain of hashes to drip
randomHashes := make([]common.Hash, 16*blockCacheLimit)
for i := range randomHashes {
@ -716,7 +643,7 @@ func TestMadeupHashChainDrippingAttack(t *testing.T) {
// Tests that if a malicious peer makes up a random block chain, and tried to
// push indefinitely, it actually gets caught with it.
func TestMadeupBlockChainAttack(t *testing.T) {
func TestMadeupBlockChainAttack60(t *testing.T) {
defaultBlockTTL := blockSoftTTL
defaultCrossCheckCycle := crossCheckCycle
@ -748,7 +675,7 @@ func TestMadeupBlockChainAttack(t *testing.T) {
// Tests that if one/multiple malicious peers try to feed a banned blockchain to
// the downloader, it will not keep refetching the same chain indefinitely, but
// gradually block pieces of it, until its head is also blocked.
func TestBannedChainStarvationAttack(t *testing.T) {
func TestBannedChainStarvationAttack60(t *testing.T) {
n := 8 * blockCacheLimit
fork := n/2 - 23
hashes, forkHashes, blocks, forkBlocks := makeChainFork(n, fork, genesis)
@ -792,7 +719,7 @@ func TestBannedChainStarvationAttack(t *testing.T) {
// Tests that if a peer sends excessively many/large invalid chains that are
// gradually banned, it will have an upper limit on the consumed memory and also
// the origin bad hashes will not be evacuated.
func TestBannedChainMemoryExhaustionAttack(t *testing.T) {
func TestBannedChainMemoryExhaustionAttack60(t *testing.T) {
// Construct a banned chain with more chunks than the ban limit
n := 8 * blockCacheLimit
fork := n/2 - 23
@ -848,7 +775,7 @@ func TestBannedChainMemoryExhaustionAttack(t *testing.T) {
// internal state problems
//
// No, don't delete this test, it actually did happen!
func TestOverlappingDeliveryAttack(t *testing.T) {
func TestOverlappingDeliveryAttack60(t *testing.T) {
// Create an arbitrary batch of blocks ( < cache-size not to block)
targetBlocks := blockCacheLimit - 23
hashes, blocks := makeChain(targetBlocks, 0, genesis)
@ -875,6 +802,16 @@ func TestOverlappingDeliveryAttack(t *testing.T) {
}
}
// Tests that a peer advertising an high TD doesn't get to stall the downloader
// afterwards by not sending any useful hashes.
func TestHighTDStarvationAttack61(t *testing.T) {
tester := newTester()
tester.newPeer("attack", eth61, []common.Hash{genesis.Hash()}, nil)
if err := tester.sync("attack"); err != errStallingPeer {
t.Fatalf("synchronisation error mismatch: have %v, want %v", err, errStallingPeer)
}
}
// Tests that misbehaving peers are disconnected, whilst behaving ones are not.
func TestHashAttackerDropping(t *testing.T) {
// Define the disconnection requirement for individual hash fetch errors