This repository has been archived by the owner on May 9, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Securing GNUnet MQTT against topic flooding
Valentin edited this page Jun 20, 2014
·
3 revisions
⚠️ WARNING⚠️ The information presented here might be obsolete!
In the current REGEXP based implementation, a peer has to send n
messages if we wants to publish on a topic with n
subscribers.
- It will be hard to compromise a topic with millions of subscribers because a lot of bandwith will be required
- Load on the network is little because only subscribed peers will be addressed directly. Other peers that also run the GNUnet-MQTT service but do not subscribe to the topic will not be bothered
- It is hard for a single client to reach a large number of people
- Topics with few subscribers can be easily spammed
- Faster uplink and stronger machines will make this attack more severe in the future
- It is unclear how much power/bandwith is required to do some real damage on a popular topic
Idea: Make it hard to find the topic that people are communicating. For some cases like a shared message exchange for a group of coworkers one could try to generate a Topic name which is hard to guess (e.g. sufficiently large random sequence of characters) and use this as a "pre-shared" key so that only authorized peers know the topic.
- No complex message flow
- This is not a real message control but should also do the job.
Here the idea is the following: Publishing to a subscriber is only possible if the publisher is in possession of a token issued by the subscriber. Otherwise the subscriber will deny the reception.
- A peer uses the REGEXP to get a list of subscribers
- If he wants to send a messages to a subscriber he checks his current cache if he has a session token for that subscriber
- If he has, he sends the message to subscriber and is done
- If he does not have a session token he sends a "Token Request" to the subscriber
- The subscriber can now according to his policy either send him a token directly (e.g. for known, trusted peers) or request a proof of work from the publisher 1. Whitelist only 1. Do the proof of work if I don't know you 1. I accept anyone on this topic
- Once the publisher has received the request he can either do the work or skip the transmission to that subscriber
- If he decides to do the proof of work he obtains the token and can send messages to the subscriber for as long as the token is valid
- If there is something like a firewall that allows to deny reception of messages from untrusted peers in the network this method can save a lot of network bandwith
- It could also work for topics with many subscribers (e.g. the New York Times wants to send some news to millions of people)
- Proof of work could be infeasible for constrained device like sensors. Unfortunately sensors are one of the main applications of M2M
- Is there such a "firewall" in GNUnet?