As it is, if one node is compromised or malicious, what stops it from hosing up darksend? Sure, that TX will fall out of the memory pool and eventually be not a sent transaction according to my client, but how about something that actively avoids the incident? Why shouldn't all clients hosting the full chain also be darksend nodes? For that matter, why is darksend optional? Why aren't all sends done in that manner automatically? Input volume, yes...
The idea of masternodes is to create a very expensive network similar to mining, where users invest money to make money. If you decide to be malicious, the only power you have is to not allow transactions for that 2.5 minutes, in which case you forfeit the money the network will pay you.
If all nodes were able to do it, the network would be vulnerable to sybil attacks. See my conversation with Anonymint.
The network is still vulnerable to sybil attacks with expensive nodes, but only by wealthy entities, and they would have to invest heavily in darkcoin to be able to do so, which would have the effect of strengthening the coin. I crunched some of the numbers, and you'd need a LOT of sybil nodes (50%+) to be able to snoop on a significant number of DS transactions where multiple mixing stages are employed. Which might be potentially feasible for a very motivated large organisation, but can be mitigated by specifying a high number of mixing stages (5-20).
Also, as the above poster pointed out, DOS on master nodes may be a problem. E.g. if an attacker DOS'd all the genuine master nodes successfully (which is unlikely, but this is hypothetical), only their own sybil nodes would remain, meaning anonymity is gone for that period. One way to mitigate this might be to have some network health indicators in the client. E.g. monitor the number of alive master nodes over time, and if it drops dramatically, have a little amber warning light on the send page to communicate that darksend transactions may be less secure. Or a graph of alive master nodes over time might be even better.
I'm some what worried about the potential of DDOS attacks on the master nodes. DarkSend would be some what of a joke if no coins were being sent or huge delays, or interpuptions from DDOS attacks.
I wrote this yesterday, but it seemed to get looked over.
Should there be some kind of Masternode basic requirements? One for sure being DDOS protection.
I'm worried that people could just forward the port on their home router, direct to their windows laptop and run a master node. I'm tempted to do so.... But feel I should do it "right" purchase a new server, with DDOS protection, firewall it, and secure it as much as I can.
I'm worried many will take the easy option, which could lead to a number of DDOS vulnerable masternodes, or they could turn the laptop off lol.
My unix rig is on 24/7, and could be a master node, but my home DSL certainly isn't DDOS protected, I have WRT custom firmware, firewall etc, but feel a master node deserves a proper VPS / server with DDOS protection etc.
Thoughts?
I'm worried that people could just forward the port on their home router, direct to their windows laptop and run a master node. I'm tempted to do so.... But feel I should do it "right" purchase a new server, with DDOS protection, firewall it, and secure it as much as I can.
I'm worried many will take the easy option, which could lead to a number of DDOS vulnerable masternodes, or they could turn the laptop off lol.
My unix rig is on 24/7, and could be a master node, but my home DSL certainly isn't DDOS protected, I have WRT custom firmware, firewall etc, but feel a master node deserves a proper VPS / server with DDOS protection etc.
Thoughts?
