This is a work in progress.

Peer-to-Peer network node(s) need(s) to be robust enough to protect from DDoS attacks, malformed packets, brute-force attacks, and any unwanted or unauthorized access.

Network should have triggers that allow for back-off time periods or lock-out. You can incorporate the use of  https://suricata-ids.org/ and https://www.snort.org/ ideas into detection.  IDS/IPS/IMS.

Tests should run some sort of vulnerability assessment scanning method on host especially on exposed network sockets. Vulnerability assessment scanning tools like http://www.openvas.org/https://www.metasploit.com/, Nessus or https://www.kali.org/ have a good use case.

Custom security scripts for RChain could easily be written.

Load generator that can crank up traffic through RChain components and functions should be written. This could test network as well as component thresholds for functionality. You always want to find breaking points in something when it is not in production and then set mitigation controls.

The sooner you stop information in the OSI model (https://en.wikipedia.org/wiki/OSI_model) from a "bad actor" the better. It would be could to "lock-out" bad actors at network layer. You could use firewall on system to do this. Something to be considered.


Just testing the network through put of node.

Tools like iperf https://sourceforge.net/projects/iperf/ can test pure network throughput at different sized packets. We could use this or incorporate our own to test pure flow and reliability of network packets. You don't want dirty communications and dropped packets to be part of the store.

There are java implementations of this tool. https://github.com/ashishvshenoy/iperf-java


There is a lot of load testing software out there. Here are some examples. I think these are all on Kali Linux. Probably a whole lot more. 

https://github.com/httperf/httperf

https://software.microfocus.com/en-us/products/loadrunner-load-testing/overview

It's probably easier to use write your own load generators using BASH, curl and nmap.


More on Packet Crafting

Write your own code or use ...

You can use python scampy http://www.secdev.org/projects/scapy/ for packet mangling or crafting.

Netcat is nice as well. This has been used for ages by hackers.

http://help.ubidots.com/developer-guides/sending-tcpudp-packets-using-netcat

Looks like socat is an option. Looks very netcat like

https://discourse.criticalengineering.org/t/howto-crafting-arbitrary-network-packets-with-socat/51


Notes from conversation with Mike on 4/2

  • Hardening happens on a variety of levels
    • Setting up firewalls or hardware in front of the main node (defense)
    • Packet inspection: intrusion mitigation
      • If people are sending malformed packets, then we need to know and deflect
      • Reject packets that are not signed by the key
      • Either build your packets correctly or get slashed
    • Load balancing on the valid traffic
  • Tools for hardening
    • Generating valid protocol buffers to through at the Casper implementation
  • Fuzzing 
    • Way of generating valid or invalid protobufs at random to see how the software reacts
    • Can be done when the node and firewall is ready


External service blockin

Firewalls on each node

Ports that are open will validate packages with correct signature. Even if it's signed and well-formed, we need a way to through at Casper to prove that it's not malformed.



In April

  • RChain get IP range for bootstrap nodes
  • Decision on where to test - Cost risk to hammer AWS with node testing
    • Either buy time on Amazon
    • Or buy some hardware, upfront cost of hardware 
  • Choose a fuzzer tool
    • Look at planned protobufs to choose a tool
    • Pawel may have insight
  • Have conversation with Pawel and Nash to determine broader testing
  • When do we need horizontal scaling on the node?