Pubsub flood due to same message propagated multiple times #9665
Comments
stbrody
added
kind/bug
|
This is a companion report to a report that was already filed against go-libp2p-pubsub here: libp2p/go-libp2p-pubsub#524 The main advice we received from @vyzo working on go-libp2p-pubsub was to utilize libp2p validators for our incoming pubsub messages. Is that something that kubo exposes currently? Also, even if the libp2p validators are exposed via kubo APIs, it will take time to set up the right ones and get our community of node operators to upgrade to utilize them. In the meantime our network is still in a bad state right now so I'm very interested in any ideas for what we can do in the short term to reach a stable state again. Thank you! |
|
A possible solution that can solve your current predicament is to provide a default validator in ipfs that uses the message envelope seqno as the nonce. This works for all peers/topics, and can reject/ignore old messages without needing to look into the message payload itself. This can be implemented quite easily and provide the bandaid needed to stop the bleeding and buy time to design the proper abstractions for a validator api. |
|
A bit more on the mechanics of this. The proposed validator relies on message signing and use of the seqno, which are default features used by ipfs. Thus we can use this seqno as a per peer nonce and extinguish the kind of floods that is being observed here. The validator can be registered by every topic thats is joined, or we can add an api in pubsub for default validators for all topics. |
|
I plan on working on this tmrw, as it is holiday here today. I will add a new api to pubsub for default validators, and write a default validator that behaves as described in kubo. |
Would really appreciate the help, @vyzo 🙏🏼 Our whole team is all-hands-on-deck debugging and testing in preparation for a major product launch at Eth Denver over the next couple of days (hence our concern about Pubsub flooding at this time). |
|
The current plan: kubo maintainers will try to get out a patch release that includes Vyzo's proposed solution this week. |
|
So there are a couple of parties involved here:
This is on the Kubo maintainers' 2023-02-28 standup agenda to discuss to figure out what we can do here. We understand this is time sensitive for you all. We'll update the issue after standup (by 19UTC on 2023-02-28). |
|
Datastore API we want pubsub validator to consume: https://pkg.go.dev/github.com/ipfs/go-datastore#Datastore (with a wrapper in Kubo side). |
|
Notes from 2023-02-28 conversation with @Jorropo and @vyzo : |
|
Ceramic: a few things:
|
|
The pubsub side of things is here: libp2p/go-libp2p-pubsub#525 |
|
Thanks @vyzo @BigLep for all your work driving this forward! Wanted to let you all know that at the end of the day yesterday the pubsub flood resolved, so we are no longer in an active crisis situation at the moment. That said, this has happened before and will likely happen again, so we're still very interested in getting the fixes you all are working on to help protect us going forward. And we'd absolutely love to have an architecture review and discuss how we can improve the way we build on kubo/libp2p to set us up for success in the future. Also @BigLep, we do have a shared channel in the filecoin slack: https://filecoinproject.slack.com/archives/C01V5AWPF97 |
|
Pubsub release has been cut in https://github.com/libp2p/go-libp2p-pubsub/releases/tag/v0.9.2 I will hook it up to ipfs next. |
|
@stbrody : you bet. Concerning architecture review, let's connect after Denver. Feel free to reach out on FIL Slack when you're back and settled. |
aschmahmann
added
P0
|
@stbrody : we've run into some snags here. @Jorropo will get these moved a top level issue tomorrow (2023-03-10). Assuming you're all back from EthDenver, I want to get the ball rolling on understanding your needs and how we unblock you since per above we aren't going to merge the PR fix into master. Can you please invite @BigLep , @Jorropo , and @lidel into a collaboration channel in Filecoin Slack to help with the coordination? (Or if you want me to create a new channel I can do that.). (I can't currently access https://filecoinproject.slack.com/archives/C01V5AWPF97 - I assume it's private.) |
|
Slack access has been granted and I have moved the conversation there for scheduling. |
Checklist
Installation method
ipfs-update or dist.ipfs.tech
Version
Config
n/aDescription
Incident report from 3Box Labs (Ceramic) Team
Incident summary
The Ceramic pubsub topic has been experiencing a flood of pubsub messages beyond our usual load for the last several days now. We log every pubsub message we receive on the nodes that we run, and running analysis on those logs using LogInsights shows us that we are receiving messages with the exact same `seqno` multiple times - one message can show up upwards of 15 times in an hour. During normal operation we do not åsee this issue with seqnos showing up multiple times. This dramatic increase in the number of messages that need processing is causing excess load on our nodes that is causing major performance problems, even with as much caching and de-duplication as we can do at our layer.Evidence of the issue
Graph of our incoming pubsub message activity showing how the number of messages spiked way up a few days ago. The rate before 2/20 was our normal, expected amount of traffic:
AWS LogInsights Query demonstrating how the majority of this increased traffic is due to seeing the same message (with the same seqno) re-delivered multiple times. Before the spike we never saw a
msg_countgreater than 2.Steps to reproduce
Connect to the gossipsub topic `/ceramic/mainnet`. Observe the messages that come in, keep track of the number of times you see a message with each `seqno`. You'll see that over the span of an hour you see the same message with the same `seqno` delivered multiple timesHistorical context
We have seen this happen before, in fact it's happened to us several times over the last year, and we've reported it to PL multiple times. You can see our original report here (at the time we were still using js-ipfs): https://github.com/libp2p/js-libp2p/issues/1043. When this happened again after we had migrated to go-ipfs, we reported it again, this time on slack: https://filecoinproject.slack.com/archives/C025ZN5LNV8/p1661459082059149?thread_ts=1661459082.059149&cid=C025ZN5LNV8We have since discovered a bug in how go-libp2p-pubsub maintained the seenMessage cache and worked to get a fix into kubo 0.18.1: libp2p/go-libp2p-pubsub#502
We have updated our nodes to 0.18.1, but of course we have no direct control over what versions of ipfs/kubo the rest of the nodes on the Ceramic network are running, so even if the above bugfix would resolve the issue if every single node on the network were to upgrade to it, we have no real way to enforce that and no idea how long it will be (if ever) before there are no older ipfs nodes participating in our pubsub topic. Not to mention the possibility of a malicious node connecting to our pubsub topic and publishing a large volume of bogus messages (or re-broadcasting valid messages). So no matter what, we need a way to respond to incidents like this that goes beyond "get your users to upgrade to the newest kubo and pray that that makes the problem go away", which has been what we've been told every time we're reported this issue so far.
Our request from Protocol Labs
This is an extremely severe incident that has affected us multiple times over the last year. It strikes without warning and leaves our network crippled. Every previous time this happened it cleared up on its own within a day or so, but this one has been going on for 5 days now without letting up. We need some way to respond to incidents like this, and to potential malicious attacks in the future where someone intentionally floods our network with pubsub traffic.
So our questions for PL are:
Thank you for your time and attention to this important issue!
-Spencer, Ceramic Protocol Engineer
The text was updated successfully, but these errors were encountered: