fix: p2p security and privacy improvements#81
Open
R0BC0D3R wants to merge 4 commits into
Open
Conversation
Nodes running --anonymous-inbound (Tor/I2P) were appending their own onion/I2P address to peerlist responses with a real wall-clock timestamp and always in the last position. An observer receiving multiple responses could trivially identify the node's own address by its fixed position and correlate it across time using the timestamp. Fix: insert at a random position with timestamp=0, matching Monero PR #9632 (shipped in v0.18.4.0, Apr 2025). No effect on clearnet-only nodes — the code path requires an outgoing connection in the same zone as m_our_address.
- Upgrade peer diversity filter from /16 to /24 subnet deduplication: reduces spy node effectiveness from ~3.6 to ~1.06 connections per outbound slot (Monero PR #9939) - Track tried peers by ID not peerlist index in make_new_connection_from_peerlist: peerlist shifts between iterations could cause retries or skips with index-based tracking - Refresh m_current_number_of_out_peers in get_outgoing_connections_count: stale counter caused try_to_connect_and_handshake_with_new_peer to refuse new connections after a peer dropped until the background thread caught up (Monero PR #9939)
…send When sending transactions over Tor/I2P, the fallback zone selection loop checked only whether a proxy was configured (m_connect), not whether active outgoing connections existed. This could silently queue transactions on a zone with no peers, where they may never be delivered. Now verifies at least one outgoing connection exists before selecting a zone, and logs a warning when all anonymity networks lack connections. Port of Monero PR #9267.
Peer IDs were randomly assigned to all network zones, including Tor and I2P. This allowed an observer to correlate connections across a node's anonymity network traffic using the persistent peer_id field. Fix by defaulting peer_id to 1 for all zones and assigning a random value only to the public zone during init. All peer_id comparisons (self- connection detection, is_peer_used) are now guarded by a public-zone check. Anonymity network zones identify duplicate connections by address only. Also adds guards to skip connecting to our own onion/I2P address if it appears in the peerlist. Port of Monero commit 37bb594.
Build Artifacts
10 succeeded, 0 failed | View workflow run |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports several security and privacy fixes from upstream Monero to
src/p2p/net_node.inlandsrc/p2p/net_node.h.Anonymous inbound address leak (Monero PR #9632): Self-address inserted at a random position with timestamp=0 in timed sync responses, preventing correlation of our own onion/I2P address by list position or wall-clock time across responses.
Peer diversity (Monero PR #9939): Upgraded subnet deduplication from /16 to /24, and changed the tried-peers tracking set from list index to peer ID to avoid skipping valid peers when the peerlist is modified mid-iteration.
Stale outgoing connection counter:
get_outgoing_connections_countnow refreshesm_current_number_of_out_peerson every call, preventing the connection-maker from stalling when peers drop between 1-second poll intervals.Peer ID disabled over anonymity networks (Monero commit 37bb594): Peer IDs were randomly assigned to all network zones including Tor and I2P, allowing an observer to correlate connections across anonymity network traffic. Fixed by defaulting peer_id to 1 for non-public zones and guarding all peer_id comparisons with a public-zone check. Anonymity networks now identify duplicate connections by address only.
Silent tx drop on privacy networks (Monero PR #9267): Tx send no longer selects an anonymity network zone that has no active outgoing connections, preventing transactions from being silently queued with no chance of delivery.
Test plan