DoS question

Reading some security-related topic on cardano node setup, I stumbled upon this: “DO NOT run the block producer and relay on the same host — as the relay is public facing and if it is hacked or under attack (DDOS), your block producer will also be offline, which means you will miss the chance to produce a block and it can affect your ranking & rewards later on.”

However, I don’t understand how that would be much different if the relay (or relays) on separate hosts were DoS’ed - since the rest of the nodes is communicating with the block producer through the relays, wouldn’t that result in the exactly the same outcome (“you will miss the chance to produce a block and it can affect your ranking & rewards”)?

Hey @cardn

this is a good question. I try to explain it shortly:

starting-conditions:

  • the blockchain network should be seen as hostile environment
  • every node and blockproducer is crucial for the system-integrity
  • the ip-address of an relay is public (at least to the other nodes)
  • your block-producer is the only computer that is writing blocks

The relay mechanism is a security measurement.
Like in a VPN or even in the TOR-Network, you hide your critical system components behind other computers.
If your block-producer is under attack, your stake-pool could be shutted down, miss blocks get a down-rank. People could change their stake to other pools which are performing better and so on.

The other thing is the overall security of the network:
If your stakepool/block producer is under attack, the system is getting a little bit more centralised. (X pools - 1). This is part of the 51% attack: “You could buy and run more than 51% of the network power or you kill every other computer.”

How big your security is depends on your. Some pools have many layers of realys, some only a few. For example:

  • the “bad” network
  • 3 public relays
  • 3 private realys + 2 fallback relays
  • 1 block producer + 1 fallback producer

Just keep in mind: the blockchain network itself is a hostile environment.

i hope this helps ^^

@Alexd1985 , sorry - didn’t quite get that. Could you elaborate?

@Jonny22 , I understand the principles rather well (and I generally don’t consider people on the network all being “nice and fluffy”), but as I said, I see no difference in the outcome if the relays are down. Let me simplify this - if your server is plugged via the network cable into an ethernet port, and there are no other means of communication with that server, then if someone pulls the cable it would not matter that your server is running, since you will not be able to send any commands.

While this is not exactly like this here and the BP box can still make outbound connections, it cannot receive them - because the relays are down. No inbound connections/commands - no way to produce new blocks and technically you would be considered offline anyway. Am I missing something here?

Talking about private relays

Not sure I understand. For communicating with your node, other nodes need to know your relay IP. Even if you “pick and choose” your “friendly relays”, they cannot all be unknown to the rest of the system, otherwise you will be effectively isolated. Plus one of the “friendly” nodes may turn rogue and, since it knows the IPs of your relays, attack them.

Also, @Alexd1985 , I believe that the IP of your relay is not that hard to find (ends in .250). I would imagine you might have unlisted relays, but they would still need to be known to someone else …

Yes if you think about the worst case - then you are right there is no 100% security.
But it is possible to make it harder for the bad guys.


I think we need to talk about what we wanna secure.

To secure your block producer you can set up an “onion system” of private and public relays.
To secure the “bottleneck” of your relays there are 2 ways:

  • You can use multiple public relays on different provider: e.g. that IONOS, AWS etc. are down to the same time is unlikely.
  • You can set up relays that are not registerd public but connect to other dedicated relays (i hope i’m right here that this is possible, pls correct me if i’m wrong)
  • And the hosting providers also provide security measurements. (Firewall, Geo-redundant, CDN, Anti-DDOS, Cloudflare, Blacklist and so on)

To secure your relays against a hack, you can do so much things… hardware-tech, software, settings etc.
To secure your own privacy, you could connect via VPN or Tor to your own servers.

If you are crazy enough you could also reroute your relays traffic trough dynamic VPN services.

@Jonny22 , it seems we are talking about two different subjects. Just to clarify - I understand that isolation is better than piling all things together. I also understand that steps need to be taken to secure the servers. This is not the subject of the conversation though - the subject is very specific: “Whether there is a difference in the outcome in terms of availability / producing the blocks / being penalized if two different setups are DoS’ed: one with the relays hosted separately (and they are down) and another when the relay sits on the same physical box with BP (and the whole box is DoS’ed)”. I hope that makes it a bit more clear.

I’m also curious about that “private relays club” and how that actually works :slight_smile: My guess is that you just agree with some other nodes to put their relays into each other’s topology?

Okey,

i try to explain it so, i tried my best, but im not so deep into the technical things.

Availability:

All on one machine: With one DDOS on a public know IP your whole rig is down
One Relay: same as all on one machine
Few Relays: if the attack doesn’t aims for all relays you are online (higher availbility)
Big Relay setup: Even with a big attack you should stay online

block-producing

All on one machine: With one DDOS you block-machine will interrupted
One Relay: you cannot propagate the minted block, but you have minted it - if the DDOS will end before the Slot is ending, you got it, if not then you have missed it
Few Relays: all fine
Big Relay setup: all fine

beeing penalized

with a high rank you will get more attackers on you.
the online-time will influence your rank.
the luck will influence your rank.
With a high security you can convince other to delegate to you = higher saturation = higher rank

In the end you need to explain to the delegators why they should delegate to your pool:

  • What is making your pool better than others (security, rewards, support of non-profit-organizations)
  • Can I trust you and your skills?
  • Can I trust that you stake pool will sustain over the long-term?

You chose the easy way… tell me the private relay IP not the one from adapools :))

That was a much better answer indeed :slight_smile: There a few things though which are not quite clear:

  • “One Relay: you cannot propagate the minted block, but you have minted it - if the DDOS will end before the Slot is ending, you got it, if not then you have missed it” - thought each slot lasts 1 second? That would be an interesting DoS lasting for 1 sec …

  • “the online-time will influence your rank” - and that would be calculated against what exactly? Say the BP has a short downtime, but the relay is still available - does that count as an outage and penalizes the “rank”? Or if you have 2 relays and one is down - would that count against the “rank”?