Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can we restrict I2P peer connections from 'strict countries'? #2112

Open
kosakuraiori opened this issue Oct 25, 2024 · 9 comments
Open

Can we restrict I2P peer connections from 'strict countries'? #2112

kosakuraiori opened this issue Oct 25, 2024 · 9 comments

Comments

@kosakuraiori
Copy link

kosakuraiori commented Oct 25, 2024

I2P peers in the strict country list will force-enable hidden mode, and I2P peers in this mode should not participate in tunnel creation.

Can we implement similar restrictions on I2P peers from regions in the strict country list? That is, when we detect that the IP address of these peers comes from a strict country and they are participating in tunnel creation, we directly block them? (Because it is likely to be a malicious peer).

My native language is not English, and these texts are translated using artificial intelligence technology. Please forgive me if there are any errors in the text.

Strict Countries

@Vort
Copy link
Contributor

Vort commented Oct 25, 2024

I think users should decide by themselves whether they need extra "protection" or not.
As for malicious routers, there should be better way of detecting them than checking their country.

By the way, do you have any information regarding #2109 ?
For example, what goal malicious users may have.

@kosakuraiori
Copy link
Author

kosakuraiori commented Oct 26, 2024

I think users should decide by themselves whether they need extra "protection" or not.
As for malicious routers, there should be better way of detecting them than checking their country.

By the way, do you have any information regarding #2109 ?
For example, what goal malicious users may have.

Their goal is to disconnect I2P users located in China from the I2P network. These malicious peers cause I2P users in China to be unable to connect to any I2P services (if the peers do not enable hidden mode).

After I2P updated the NTCP2 and SSU2 communication protocols, China's national firewall was unable to intercept I2P communications, so they began to deploy a large number of these malicious peers to try to disrupt the network.

I discovered this yesterday while debugging my own I2P software. If I block those abnormal China peers (located in the strict country list but not enabling hidden mode), I can quickly and stably access the I2P network.

This is why I think it's necessary to restrict connections from these countries.

@orignal
Copy link
Contributor

orignal commented Oct 26, 2024

i2pd is not going to restrict connectivity by country or nationality.

@kosakuraiori
Copy link
Author

kosakuraiori commented Oct 26, 2024

i2pd is not going to restrict connectivity by country or nationality.i2pd 不会限制根据国家或国籍进行连接。

You're right. This would lead to a de facto country block.

But what I'm trying to express is not about blocking connections from specific countries, but rather that: the appearance of non-hidden mode I2P routers in these countries is an abnormal signal in itself.

It's a bit like a group of 'prohibited people or things' suddenly appearing publicly in a place where they are forbidden by law.

@Vort
Copy link
Contributor

Vort commented Oct 26, 2024

It's a bit like a group of 'prohibited people or things' suddenly appearing publicly in a place where they are forbidden by law.

Instantaneous addition of almost thousand routers is abnormal signal no matter what country they are from.

These malicious peers cause I2P users in China to be unable to connect to any I2P services

Thank you for the information.

It looks strange to me that abnormal load comes in pulses:
image

Could it be that these pulses are made not by chinese routers, but by some different actor?

@Vort
Copy link
Contributor

Vort commented Oct 26, 2024

I wonder why situation from linked screenshot happens at all.

I2P network have about 40 thousand routers.
Adding 1 thousand routers from China should not change distribution that much.

And in cases when there are really many routers from the same country it makes sense to lower their chance of appearing in the tunnel.

截圖 2024-06-05 上午9 36 34

@Vort
Copy link
Contributor

Vort commented Oct 26, 2024

kosakuraiori
If I block those abnormal China peers (located in the strict country list but not enabling hidden mode), I can quickly and stably access the I2P network.
This is why I think it's necessary to restrict connections from these countries.

orignal
i2pd is not going to restrict connectivity by country or nationality.

I think it should be possible to make option allowing user to exclude some nodes from tunnel selection, similarly to how it is made in Tor (ExcludeExitNodes).
This option should be managed exclusively by user of course and have empty default value.

@kosakuraiori
Copy link
Author

I think it should be possible to make option allowing user to exclude some nodes from tunnel selection, similarly to how it is made in Tor (ExcludeExitNodes).

This option should be managed exclusively by user of course and have empty default value.

Yes, I think similar additional optional protection is feasible.

Could it be that these pulses are made not by chinese routers, but by some different actor?

These abnormal peers come from different organizations, but are basically led by the Chinese academic community (such as the Chinese Academy of Sciences) in censorship research, with the intention of degrading or destroying the I2P network.

By searching for keywords like "I2P 流量分析" in Chinese on search engines, you can find a large number of papers written by different universities and research institutions in China.

I2P匿名系统中网桥技术研究与实现

I2P匿名通信网络流量识别与分类

在数据采集阶段,通过研究I2P匿名网络中节点发布与更新机制,设计I2P网络内部资源节点采集方案,提出通过网络数据库NetDB实时监控功能模块和补种网站定期爬取功能模块实现I2P节点的发现与采集的方法.基于节点RouterInfo结构的解析,构建节点信息数据库,为后续流量识别与分类实验研究提供数据标定基础.
In the data collection phase, by studying the node publishing and updating mechanisms in the I2P anonymous network, we design a scheme for collecting resource nodes within the I2P network. We propose a method to discover and collect I2P nodes through the real-time monitoring function module of the network database NetDB and the periodic crawling function module of the reseeding website. Based on the parsing of the RouterInfo structure of the nodes, we construct a node information database, which provides a data labeling foundation for subsequent traffic identification and classification experimental research.

I wonder why situation from linked screenshot happens at all.

I2P network have about 40 thousand routers.

And in cases when there are really many routers from the same country it makes sense to lower their chance of appearing in the tunnel.

His I2P peer is running on a version (2.5.0) that doesn't have 'strict country protection' deployed, so it won't automatically enter hidden mode. But I also don't know why his I2P peer has so many Chinese peers, to the point where it's causing I2P to not work properly.

@s-b-repo
Copy link

i2pd is not going to restrict connectivity by country or nationality.

agreed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants