Proposal: allow AutoNAT to dial all IP addresses, without risking amplification attacks #536
Description
Our AutoNAT spec currently says:
In order to prevent attacks like the one described in RFC 3489, Section 12.1.1 (see excerpt below), implementations MUST NOT dial any multiaddress unless it is based on the IP address the requesting node is observed as. This restriction as well implies that implementations MUST NOT accept dial requests via relayed connections as one can not validate the IP address of the requesting node.
RFC 3489 12.1.1 Attack I: DDOS Against a Target
In this case, the attacker provides a large number of clients with the same faked MAPPED-ADDRESS that points to the intended target. This will trick all the STUN clients into thinking that their addresses are equal to that of the target. The clients then hand out that address in order to receive traffic on it (for example, in SIP or H.323 messages). However, all of that traffic becomes focused at the intended target. The attack can provide substantial amplification, especially when used with clients that are using STUN to enable multimedia applications.
The intention is to prevent an amplification attack against a target, and was designed with the properties of the STUN protocol in mind.
This is not the only way to prevent amplification attacks though. We can also just make the attack expensive enough such that it becomes unattractive. For example, we could require the requester to send a non-trivial amount of data, on the order of 10-100 kB. This would make AutoNAT completely uninteresting for an amplification attack, since a libp2p handshake is a lot smaller than 10 kB, and thus no amplification can be achieved.
On the other hand, for the AutoNAT server, receiving 10-100 kB is cheap enough to process that we're not placing a too large burden on the server. To further lighten the load on the server, this could be designed as a "retry" mechanism (borrowing QUIC terminology here): Only if the IP address doesn't match would the server request the client to send this additional data.
Obviously, as this is a new design, this would need to be incorporated into AutoNAT v2 (#503).
@sukunrt Thoughts?