Skip to content
This repository has been archived by the owner on Nov 15, 2023. It is now read-only.

Punish peers for duplicate GRANDPA neighbor messages #12462

Merged

Conversation

dmitry-markin
Copy link
Contributor

@dmitry-markin dmitry-markin commented Oct 10, 2022

Resolves #12191.

The code already contains logic that doesn't allow sending GRANDPA neighbor messages with the same or decreasing set ID / round within a set / finalized number. This PR only enforces this upon reception and reports misbehaving peers.

Follow-up issue for a generalized case: #12463.

@dmitry-markin dmitry-markin added A0-please_review Pull request needs code review. B0-silent Changes should not be mentioned in any release notes C1-low PR touches the given topic and has a low impact on builders. D3-trivial 🧸 PR contains trivial changes in a runtime directory that do not require an audit labels Oct 10, 2022
@bkchr
Copy link
Member

bkchr commented Oct 11, 2022

@dmitry-markin please merge master to make CI happy ;)

And also please wait for @andresilva approval.

Comment on lines 1817 to 1820
// allow duplicate neighbor packets if enough time has passed
peers.inner.get_mut(&id).unwrap().view.last_update =
Some(Instant::now() - NEIGHBOR_REBROADCAST_AFTER);
check_update(&mut peers, update4);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like this test:

  1. It modifies internal structure that can change, and the test must be updated in this case.
  2. It rolls clock backwards: on systems with unsigned time representation and 0 time corresponding to the system boot, if the test is run less than two minutes after boot, it'll fail.

The alternative I see is modifying Peers::update_peer_state() to accept time instant as an argument, but this will require measuring time on the calling side. This seems to be even worse.

Do you see any better options?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think to solve this cleanly we'd have to mock the time source but it seems overkill just for this test case. To address 2) we could take neighbor_rebroadcast_period as a constructor argument to Peers (and I guess NeighborPacketWorker as well), and then we could use a shorter interval in the test.

Comment on lines 1817 to 1820
// allow duplicate neighbor packets if enough time has passed
peers.inner.get_mut(&id).unwrap().view.last_update =
Some(Instant::now() - NEIGHBOR_REBROADCAST_AFTER);
check_update(&mut peers, update4);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think to solve this cleanly we'd have to mock the time source but it seems overkill just for this test case. To address 2) we could take neighbor_rebroadcast_period as a constructor argument to Peers (and I guess NeighborPacketWorker as well), and then we could use a shorter interval in the test.

@dmitry-markin
Copy link
Contributor Author

bot merge

@paritytech-processbot paritytech-processbot bot merged commit 94941a8 into master Oct 13, 2022
@paritytech-processbot paritytech-processbot bot deleted the dm-punish-for-duplicate-grandpa-neighbor-messages branch October 13, 2022 09:24
ark0f pushed a commit to gear-tech/substrate that referenced this pull request Feb 27, 2023
* Decrease peer reputation for duplicate GRANDPA neighbor messages.

* Fix comparison

* Fix update_peer_state() validity condition

* Add negative test

* Rework update_peer_state() validity condition, add tests

* update_peer_state() validity condition: invert comparison

* Split InvalidViewChange and DuplicateNeighborMessage misbehaviors

* Enforce rate-limiting of duplicate GRANDPA neighbor packets

* Update client/finality-grandpa/src/communication/gossip.rs

Co-authored-by: André Silva <[email protected]>

* Make rolling clock back in a test safer

Co-authored-by: André Silva <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
A0-please_review Pull request needs code review. B0-silent Changes should not be mentioned in any release notes C1-low PR touches the given topic and has a low impact on builders. D3-trivial 🧸 PR contains trivial changes in a runtime directory that do not require an audit
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Spamming Grandpa: Neighbor message increases reputation
4 participants