Motivation & Concerns

Current insecurities discovered in the eos-bios boot process.

How to hack a chain knowing one peer node running net plugin

cleos -u [peer-url] net peers

{ "peer": "", "connecting": false, "syncing": false, "last_handshake": { "network_version": 1206, "chain_id": "0000000000000000000000000000000000000000000000000000000000000000", "node_id": "b92b2b7d8835e46e2fed97f5eebda31faea63fd07cc40ad52f132254f22cac8e", "key": "EOS1111111111111111111111111111111114T1Anm", "time": "1527171594944050635", "token": "0000000000000000000000000000000000000000000000000000000000000000", "sig": "SIG_K1_111111111111111111111111111111111111111111111111111111111111111116uk5ne", "p2p_address": "reach.me.example.com:9876 - b92b2b7", "last_irreversible_block_num": 57, "last_irreversible_block_id": "000000391a9439aaa2864d9807965bc84865cdd15c4a0a3d0ae3c7e54a85a38f", "head_num": 300, "head_id": "0000012c9826a4f37db5e5c8b4790acad70c01188aee8e7b7330790937a93cdd", "os": "linux", "agent": "\"EOS Example\"", "generation": 2 }

cleos -u [peer-url] net peers | grep peers

cleos -u [peer-url] net disconnect host:port

cleos -u [peer-url] net connect host:port

The Recommended Solutions

Wireguard Private Mesh Security

Layer 1 (Block Production Layer) 2 Producers: 1x Producer node & 1x Stand-by node

Producer Control Switch: a machine to monitor and enable failover switching

Layer 1 nodes could be connected to other trusted producer or full nodes via VPN (WireGuard)

Nothing extra installed other than Producer API, whose access is restricted to the producer control switch ​

Layer 2 (P2P Layer) Full nodes to relay blocks

Connected to the Layer 1 nodes via direct tunnels (WireGuard)

Securely meshed to trusted BPs via P2P VPN (WireGuard)

Only uses History API and Chain API, restricted to the proxy servers on layer 3

BPs are encouraged to make public full nodes available for external access for example, exchanges, portals, new BPs…

Layer 3 (API Layer) Web servers to support HTTP endpoints

Layer 3 nodes should be pure web firewalls and have no blockchain information

Connected to our Layer 2 Relay nodes via HTTP (wireguard)

Uses Patroneos to prevent against basic DDoS and application layer attacks

Layer 4 (Public Layer) Global BP Load Balancer (all traffic goes into this single point)

Volumetric Attacks gets handled at ISP level

Routes all HTTPS (SSL) traffic to our Layer 3 web servers

Configured to DNS (optional)

L4 can be as simple as DNS round robin with short TTL.

Conclusion

BP Teams Involved: Sw/eden

EOS Tribe

HKEOS

EOS Rio

Block Matrix

eosDAC

Eosmeso

AcroEOS

Run command:Returns you a list of responses like following for each node:Next get a list of peers only:And disconnect each peer:One could eventually force the connection to any other peer using, also increasing risks of network instability: