In bin_node there are several default peers listed for clients to bootstrap their peer lists:
[ "delphinet.tezos.co.il"; "delphinet.smartpy.io"; "delphinet.kaml.fr"; "188.8.131.52" ]
[ "184.108.40.206:9733"; "edonet.tezos.co.il"; "220.127.116.11:9733"; "edonet.smartpy.io"; "18.104.22.168:29732"; "22.214.171.124"; "edonet.boot.tezostaquito.io" ]
This article by Serokell on the TQTezos Medium provides a good summary of what these do:
Peer discovery is the process of discovering other peers in a network. BitTorrent protocol use tracker servers to maintain a list of peers in a swarm. So, when you start to download a file using a torrent, the client can immediately get a list of peers from the tracker information in the torrent file.
Similarly, a Tezos node also needs to know where to start its connection to the P2P network. When you start a Tezos node, you can pass an explicit list of peers to the node via the --peer argument. For example, you can use the following foundation nodes to bootstrap your node:
dubnodes.tzbeta.net franodes.tzbeta.net sinnodes.tzbeta.net nrtnodes.tzbeta.net pdxnodes.tzbeta.net
But if this argument was not provided, the node will try to connect to boot.tzbeta.net. This is a domain name that has many nodes behind a load balancer.
Tezos node also has another technique to discover local peers, that is, peers in the local network. You can use the --discovery-addr option to provide the broadcast address of a network, and the node will send periodic UDP broadcast packets that contain information like peer id and the listening port. Any node that receives this can try to connect using the contained information and the source IP address in the UDP packets.
I have a few questions:
If mainnet has only one default bootstrap peer,
boot.tzbeta.net, what happens in the event of:
a. DDOS attack. Can an attacker stop new nodes from joining
--peer)? If so, how/what do we estimate is the cost per hour for an adversary to launch such an attack?
b. An adversary doing e.g. social engineering attack and gaining root access to this box. Can they route all new nodes to a partitioned network they control?
c. Same as b. except with with a compromise of the DNS records of
tzbeta.netrather than the underlying box.
d. Same as b except with a compromise of the hosting provider (unlikely, but it’s not paranoia if they really are out to get you).
The above article says that the backend of
boot.tzbeta.netis a load balancer in front of a bunch of different peers. Can this backend be open-sourced (or is it already?) so that e.g. bakers can easily run their own bootstrap peers if need be?
Suppose that the answer to my question #2 is affirmative, and now many bakers are running their own bootstrap nodes. What are the consequences if a new nodes boots with a list of peers, some of which may be malicious? Is this an possible use case for a Web of Trust between the bootstrap peers?
Bitcoin previously used IRC to bootstrap its peer list, but this was dropped in favor of a DNS based solution because of Sybil attack surface. Tezos currently uses Proof of Work to prevent Sybil attacks in the peer to peer layer. Could a similar Proof of Work be used (perhaps in conjunction with Web of Trust or evidence of rolls) to have the bootstrap peers postulated in #3 (not ordinary peers), announce themselves on an IRC or Matrix channel?