Changes to trtl.nodes.pub, API results and a possible attack vector.

About a month ago, I set up trtl.nodes.pub, an automatically updated directory of public turtlecoin nodes.

Since then, I've been tweaking it every now and then: - Some nodes seem to be dead or down, so when a node is not reachable for 20 consecutive polls (~200 minutes) it will not show up. - I modified the API to respond with a JSON that is similar to https://github.com/turtlecoin/turtlecoin-nodes-json/blob/master/turtlecoin-nodes.json and as such it is a drop-in replacement (with some extra info, such as fee info)

The motivation behind trtl.nodes.pub is to help the "marketplace" (?) of public nodes. I want to make it easy for users to pick a public node, and at the same time to avoid having all traffic go through one or two of them.

In this direction, the API will query the DB and get results sorted by last block height (i.e. node is up to date), poll score (this is calculated based on the number of times the node was not reachable during the last 20 polls, and it's a measure of reliability) and finally fees. However, the top 5 results will then be sorted in random order before they are returned as a JSON list.

I would like to think in advance on how this service could work if the TurtleCoin ecosystem grows much bigger and the valuable of the token gets higher. If this happens, I can see the possibility of people trying to game the service and I would like to try to be ready. In this direction I'm working on a system that will penalise hosts that use the same IP to avoid the case where the API returns 5 results that are the same node with different hostnames. (I'm also thinking of giving a higher score to nodes that use more than one IP, ie. two A records for the same host name.)

There is one more thing. It turns out that using a public node may be an attach vector that a malicious actor can take advantage of. The attack takes advantage of the fact that when a client connects to a public node, it exposes its IP to it. I'm working on what could be an easy solution to this: a simple proxy designed to hide the client IP and that anyone can deploy on Google Cloud services for free.

Leave a comment: http://vrypan.blog/?p=367#comment