Comments (5)
the8472
commented on July 28, 2024
You will find that most BEPs are specified in a fairly lax manner and do not spell out all the possible sanity-checking / quality of implementation things (see my doc on DHT sanitizing) that one should do in reality. Neither do they spell out algorithmic approaches commonly used for certain problems (e.g. see #22).
I think the assumption is that the reader is a systems engineer familiar with the pitfalls of writing network protocols.
For this particular issue my implementation is using the following to derive a token:
hash(secret, timestamp, remote_socket, remote_id, target_id)
But this particular approach is not necessary. If the implementation has some sort of bounded storage policy, e.g. only allowing one value per source IP address to be stored, then such flooding attacks will also be ineffective, But the storage policy is implementation-defined and only tangentially related to the token (other BEPs allow you to omit the token when storage is exhausted).
What i'm trying to say is that your concern is valid, but I don't think the BEP should mandate solutions, just mention the issue.
And this is just one among many. Listing them all would probably require a separate document, or at least a long list of terse bullet points.
from bittorrent.org.
the8472
commented on July 28, 2024
Oh, and at least for put/get queries BEP44 allows a stricter policy.
http://bittorrent.org/beps/bep_0044.html#messages
from bittorrent.org.
r0ro
commented on July 28, 2024
Neither do they spell out algorithmic approaches commonly used for certain problems
Then why mention the BitTorrent implementation then ?
The main problem here is that the BEP 05 says:
For a node to announce that its controlling peer is downloading a torrent, it must present the token received from the same queried node in a recent query for peers
[ ... ]
The queried node must verify that the token was previously sent to the same IP address as the querying node
So one can assume that the returned token can be stored and reused for announcing with a different hash_id, which will not be possible with an implementation that also tight the token to the hash_id.
While I understand that BEP purpose is not to mandate some specific implementation, it should prevent such incompatibilities.
from bittorrent.org.
the8472
commented on July 28, 2024
In practice this is unlikely to be a problem because you won't end up announcing two distinct infohashes to the same node.
from bittorrent.org.
ssiloti
commented on July 28, 2024
Mixing the infohash into the token alone would not prevent flooding. It would only make it slightly more expensive by requiring a separate get_peers for each announce_peer. The storage policy is where protection against flooding is done. As @the8472 points out, that is an implementation detail which would not be appropriate to specify in BEP 5.
It would be nice if we had more informational BEPs to document best practices for things like this, but the people qualified to write them are few and their time is limited.
from bittorrent.org.
Related Issues (20)
- https://www.bittorrent.org is offline HOT 4
- Is BitTorrent an Open Source Protocol? HOT 3
- Connect
- hop.code-workspace.txt
- faq: nostr and bittorrent? HOT 2
- Question: The reasonings of the UDP6 `IP address` field (BEP-15)
- Adopt DNSLink for mapping domains to torrents
- Proposal: Git Integration HOT 1
- Proposal: HTTP and TCP Tunneling HOT 4
- [Proposal] Passwordless authentication with Bittorrent?
- BEP: Extensions supported by tracker HOT 14
- Wrong ed25519 keys? HOT 9
- BEP Proposal: TLS HOT 1
- Post Quantum Cryptography Support HOT 1
- Predefined directories: Allowing bittorrent to easily be adopted with other applications HOT 4
- BEP 15 Magic Constant HOT 1
- BEP 44: Signature verification algorithm is invalid if the data is not a string HOT 4
- does bencode dictionary allow duplicated keys? HOT 8
- https://bittorrent.org redirecting to https://www.resilio.com/?
- modify file paths via magnet link parameter
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bittorrent.org.