Skip to content

Latest commit

 

History

History
131 lines (94 loc) · 7.74 KB

mitigations.md

File metadata and controls

131 lines (94 loc) · 7.74 KB

Mitigation Strategies Analysis for ipfs/go-ipfs

Mitigation Strategy: Strong Preference for Pinned Content and Mutable Pointers (IPNS/DNSLink) with Signature Verification

Description:

  1. Identify Critical Data: Determine which data your application absolutely relies on.
  2. Pin Critical Data: Use the go-ipfs pin add <CID> command (or the equivalent API call) to pin this data on your go-ipfs node(s).
  3. Create Mutable Pointers (IPNS): For data that needs updates, use IPNS. Use go-ipfs name publish <CID> to create an IPNS record. This generates a key pair; the public key is the IPNS identifier.
  4. Update Content (IPNS): When updating, publish the new CID using go-ipfs name publish --key=<key-name> <new-CID>. Use the private key associated with the IPNS record.
  5. Signature Verification (IPNS): Crucially, before resolving an IPNS name, verify its signature using go-ipfs's API. This involves:
    • Retrieving the IPNS record.
    • Extracting the public key.
    • Verifying the signature using the public key.
    • Only if valid, resolve the IPNS name to the CID.
  6. Regular Key Rotation (IPNS): Periodically rotate IPNS keys using go-ipfs key commands to mitigate key compromise risk.

  • Threats Mitigated:

    • Malicious Data Injection (High Severity): Prevents attackers from tricking the application into using a malicious CID by hijacking an IPNS name.
    • Data Corruption (High Severity): Ensures retrieval of intended data.
    • Data Unavailability (Medium Severity): Pinning ensures local data availability.

  • Impact:

    • Malicious Data Injection: Risk significantly reduced due to signature verification.
    • Data Corruption: Risk significantly reduced.
    • Data Unavailability: Risk reduced (local garbage collection protection).

  • Currently Implemented:

    • Example: "IPNS is used for the application's configuration file, with signature verification in config.go. Pinning is used for the core binary, managed by deploy.sh."

  • Missing Implementation:

    • Example: "IPNS is not used for user-generated content. Key rotation for IPNS is not automated."

Mitigation Strategy: Redundant Pinning

Description:

  1. Multiple Pinning Nodes: Set up multiple go-ipfs nodes.
  2. Pin to All Nodes: Pin critical data to all of these nodes using go-ipfs pin add <CID> on each node.

  • Threats Mitigated:

    • Data Unavailability (Medium Severity): Increases the likelihood of data availability.

  • Impact:

    • Data Unavailability: Risk significantly reduced due to redundancy.

  • Currently Implemented:

    • Example: "Data is pinned to two geographically diverse nodes."

  • Missing Implementation:

    • Example: "Automated health checks for pinning nodes are not implemented."

Mitigation Strategy: Careful Peer Selection and Bootstrapping

Description:

  1. Curated Bootstrap List: Create a custom list of trusted bootstrap nodes instead of using the default go-ipfs list. Update this list regularly. This is done by modifying the Bootstrap list in the go-ipfs configuration file.
  2. Peer Filtering: Use go-ipfs's API to filter peers based on:
    • Latency: Prefer low-latency peers.
    • Protocols: Connect only to peers supporting necessary protocols.
    • Blacklist/Whitelist: Maintain lists of known-bad/good peers (using go-ipfs swarm peers and related commands for management).
  3. Limit Connections: Configure go-ipfs (via the configuration file, specifically the Swarm.ConnMgr section) to limit the number of concurrent connections. Adjust Swarm.ConnMgr.HighWater and Swarm.ConnMgr.LowWater.

  • Threats Mitigated:

    • Connecting to Malicious Nodes (Medium Severity): Reduces the chance of connecting to malicious nodes.
    • Denial-of-Service (DoS) (Low Severity): Limiting connections helps prevent resource exhaustion.

  • Impact:

    • Connecting to Malicious Nodes: Risk reduced.
    • Denial-of-Service (DoS): Risk slightly reduced.

  • Currently Implemented:

    • Example: "A curated bootstrap list is used. Connection limits are set in the go-ipfs config. Latency-based filtering is in peer_manager.go."

  • Missing Implementation:

    • Example: "A peer reputation system is not implemented."

Mitigation Strategy: Rate Limiting and Resource Quotas (within go-ipfs)

Description:

  1. go-ipfs Configuration: Configure go-ipfs (via the configuration file) to limit:
    • Connections: Maximum concurrent connections (Swarm.ConnMgr).
    • Requests: Number of requests per peer per time unit (This is less directly configurable in go-ipfs itself and often requires external tools, but connection limits indirectly affect this).
    • Bandwidth: Inbound and outbound bandwidth per peer (Swarm.ResourceMgr - though fine-grained per-peer control is limited; system-level tools are often better for this).
    • Resource usage: Configure circuit relay v2 with reservations and limits.

  • Threats Mitigated:

    • Denial-of-Service (DoS) (Medium Severity): Prevents resource exhaustion.

  • Impact:

    • Denial-of-Service (DoS): Risk reduced (within the capabilities of go-ipfs's internal limits).

  • Currently Implemented:

    • Example: "go-ipfs is configured with connection and bandwidth limits in the configuration file."

  • Missing Implementation:

    • Example: "Fine-grained per-peer request rate limiting is not directly implemented within go-ipfs."

Mitigation Strategy: Stay Updated

Description:

  1. Regular Updates: Update go-ipfs to the latest stable version using the appropriate package manager or by downloading and installing the new version.

  • Threats Mitigated:

    • Exploitation of go-ipfs Vulnerabilities (High Severity): Reduces the risk of exploiting known vulnerabilities.

  • Impact:

    • Exploitation of go-ipfs Vulnerabilities: Risk significantly reduced.

  • Currently Implemented:

    • Example: "A process is in place to update go-ipfs weekly."

  • Missing Implementation:

    • Example: "No specific examples, as this is a fundamental practice."

Mitigation Strategy: Secure Gateway Configuration (If Applicable)

Description:

  1. Disable Unnecessary Features: If running a gateway, disable unneeded features via command-line flags or the configuration file. For example, use --disable-writeable-gateway if you only need to serve content.
  2. Authentication and Authorization: If the gateway requires administrative access, configure authentication and authorization within the go-ipfs configuration (though this is often better handled by a reverse proxy in front of go-ipfs).

  • Threats Mitigated:

    • Unauthorized Access (High Severity): Prevents unauthorized modification of the gateway.
    • Exploitation of Gateway Vulnerabilities (High Severity): Reduces the attack surface.

  • Impact:

    • All Threats: Risk reduced by limiting functionality and securing access.

  • Currently Implemented:

    • Example: "The gateway runs with --disable-writeable-gateway."

  • Missing Implementation:

    • Example: "More robust authentication (beyond basic auth) within go-ipfs is not configured."