As you know, witness nodes are an essential part of the STEEM universe.
If I have a witness node with as much as (or as little as) 3% of witness approval, I can choose the right time to shut it down, listen to my favourite music album, walk my cat, and then start it up again, most probably without missing a block.
A full-time witness, or one of the top19 witnesses, needs to produce blocks 1600 times more frequently.
Maintaining such a server in the long run is not an easy task.
Witnesses are vulnerable to DDoS attacks. An attacker who knows the network location of your witness node can saturate your uplink to a level that makes you unable to produce blocks on time. Effectively, this means voting the witness out using a network-level attack. Finding the IP address of your witness node is easier than you might think. Even if you follow the guidelines for setting up your public seed node on a different machine than the one you used to get your witness running, your witness still needs to connect to other nodes in the network.
So what does this mean? Take a look at: http://seeds.quisquis.de/steem.html
(service provided by cyrano.witness)
Does any of these IP addresses look familiar?
The attacker still doesn't know which of them is yours, right?
An attack that makes the target IP unavailable for 3 seconds? Not exactly a difficult thing to do, right? So the attacker needs to make a guess by choosing from a set of suspected IP addresses he has obtained. Guessing doesn't cost him much. Neither does a high volume, short period DDoS attack. After that, he can see that your total_missed count increases, and he knows he guessed correctly. And then you are out.
A concept of infrastructure:
2 witness nodes (primary and backup)
4 dedicated seed nodes
One witness node has your current signing key and does its job. The other is for failover, backup purposes. For example, whenever you need to upgrade your witness binary, you do that on the backup witness node, then change your signing key, so the backup node and the primary node switch their roles.
(Never leave your current signing key on two nodes at the same time!)
These 4 seed nodes mentioned here only work on behalf of your witness i.e. they don’t provide seed service on public network interfaces.
Your public seed node is not within the scope of this document.
Your witness node connects ONLY to your seed nodes using VLAN or another private, low latency network solution of your choice. All other incoming/outgoing connections should be blocked except for the secure shell, preferably limited to access only from your IPs.
Each seed node should be in a separate datacenter, ideally in a different part of the world, never in the same location as any of your (primary/backup) witness nodes. The purpose is to minimize the effects of a successful DDoS attack.
Please note that setting up all seed nodes in a single data center won’t help. A DDoS attack targeted at that particular network will bring all your nodes down anyway.
+---+
+ +----+ | |
| | |<-->| B |
+--+ S1 |<-->| i |
| | |<-->| g |
| +----+ | |
+------+ | | B |
| +-+ +----+ | a |
| W(p) | | | |<-->| d |
| | +--+ S2 |<-->| |
+------+ | | |<-->| U |
| +----+ | g |
VLAN| | l |
| +----+ | y |
+------+ | | |<-->| |
| | +--+ S3 |<-->| I |
| W(b) | | | |<-->| n |
| +-+ +----+ | t |
+------+ | | e |
| +----+ | r |
| | |<-->| n |
+--+ S4 |<-->| e |
| | |<-->| t |
+ +----+ | |
+---+
W(p) - primary witness
W(b) - backup witness
S1-4 - seed nodes
Of course, you need to keep your seed nodes (at least one of them) running all the time, otherwise your witness will not be able to sync the blockchain.
But if you do the math, you will see that the odds that all your seed nodes stop working at the same time are much lower than the chances that this happens to your witness node.
If one of your seed nodes falls victim to a DDoS attack, you can, depending on the features offered by your infrastructure provider:
- do nothing (until most of them are targeted at the same time)
- change its external interface IP address, routing the old one to a black hole
- set up a new, additional, temporary seed node somewhere else
- replace that seed node with a new one in another location
If you believe this idea is of use and value to Steem, please vote for me as a witness
either on Steemit's Witnesses List
or by using your cli_wallet command:
vote_for_witness "YOURACCOUNT" "gtg" true true
I love the idea in this, basically setting up a fortress for your witness node to be more resilient.
One thing you're right about though is it would be a somewhat expensive venture. At the rate I'm witnessing blocks (maybe 3-4 a day?), it's not feasible to sustain itself financially, but I imagine the top 19 could easily go this route. Maybe even some of the people in the top 30?
I'd be more than willing to help prototype this type of infrastructure. I've been considering how difficult it would be to setup on AWS with a CloudFormation script that spins up seed nodes as ECS Containers, VPCs in every region that all interconnect via private networking, and an EC2 container for your witness node that's not accessible from the internet, but only the seed nodes.
It really shouldn't be all that hard, and even non-technical witnesses could copy/paste the cloudformation script to get started. Of course with this idea, if AWS is attacked, you're still the mercy of them being able to handle it.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
It has already been tested in the wild on dedicated servers and VXLAN (however using only a minor block producer, not a full-time witness)
Big infrastructure providers such as AWS or OVH have plenty usable features that could help (like multi-datacenter private networking), so deploying this won't be hard, but you are not limited to a single infrastructure provider. In more affordable solutions, where you don't have multiple physical network interfaces or multiple outbound routes you can even use OpenVPN, which adds only negligible latency and does its job.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I'm just re-reading this post and comments and probably understanding them for the firs time. Steem would gain a lot from seeing those set up being made easy to set up for anyone. Hopefully this could be work out at some point.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
That's awesome :)
I love seeing these kinds of advanced setups being theorized, tested and deployed!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
@gtg I have this redundant setup in mind, the hold up is not economical for me to set up at my current witness rank.
Right now, I barely break even :) Maybe in the near future.
It's good for Top 20 to know this setup, maybe they will follow your lead.
Cheers,
@yehey
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
you are history as good
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
great post! I completely agree with the analysis of the problem as well as the proposed solution. I actually wanted to implement something similar some time ago, during BitShares times, but then BitShares 2.0 happened and there were a lot more urgent things to do, so this got sidetracked. See here for the same analysis, where those nodes were called "backbone nodes" as they were intended to be shared between witnesses. Witnesses were paid a lot less during that time so I intended to have this as a public service, although that would mean that witnesses had to trust the operator of the backbone. Having your own personal line of defense is obviously much better. I still believe that this is an extremely important issue that should be tackled as soon as possible, and was planning to reboot this proposal as soon as I got some free time (haha good one!). In all seriousness, I believe that this is not too much work, but there will be some features that need to be added to the network code of the steemd client, in order to limit the nodes the client can connect too, as well as ensuring that your backbone nodes do not share the IP of your witness node (was in bts 0.9.x, but not in 2.0 nor steem I believe). This can probably also be implemented with some sort of VPN I guess, but I'm a coder, not a sysadmin, so I can't tell for sure. I even thought (fantasized) about how to make these nodes replace themselves autonomously when attacked via DDoS using messages on the blockchain, in order to simulate a resilient, living organism. Now you see where part of the "overmind" idea came from, too :) That is a discussion for a bit later, though...
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Reading stuff like this makes me realize just how little I know about this whole thing...
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
THis is something. @gtg
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thanks for explaining. You've got my witness vote now.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
i was checking if you tagged it in #witness-category ;)
glad to see steemit has a great team of security devs and glad to have upvoted you as witness.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I can tell you're definitely a well-invested witness. You have my vote.
These details could help to improve the general quality of witnesses on the network
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Really good infrastructure top 19 sure can implement for better protection of their nodes.
Though Steem network as whole have good protection against DDoS - even if most of 19 will go offline other witnesses will do their job, we just need more active and up-to-date witnesses.
I personally too want become good witness and currently learning all nuances of secure operation of node.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I wish I was intelligent enough to participate in this conversation.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
I just saw your article now and followed you . In this way I don't miss your new ones .
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
gtg said: Please note that setting up all seed nodes in a single data center won’t help. A DDoS attack targeted at that particular network will bring all your nodes down anyway.That is unless the data center provides a variety of network routes from different providers and your seed nodes are therefore located on different wide area networks even when on the same LAN. This is possible on today's top of the line data centers.
Of course decentralization is always good so several locations for seed nodes and witnesses is a plus. Good post.
Just installed a witness node. Consider to Vote for witness okay
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
The steem blockchain is a distributed network of servers. They are everywhere, they might affect a few servers but DDOS will not stop it.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
The private seed nodes still need to connect to the rest of the network to be able to sync and broadcast new blocks. So from an attacker's pov perhaps it's cheaper/easier to attack the public seed nodes directly.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit