Punisher (v1.8.27)
Geth v1.8.27 is a hotfix release to counter an active attack on mainnet, mounted against newly joining Geth nodes doing fast sync (#19473).
- If you are already in sync with the network, you don't need to update.
- Archive nodes, light clients and full-sync full nodes don't need to update.
- If you are joining the network with a new node, then you do need to update.
Background
Fast sync is susceptible to a grieving version of an eclipse attack, where a malicious remote node attempts to get a new Geth node to fast sync to some small chain, before a real heavy chain is discovered in the network. This results in Geth falling back to full sync for the main chain, taking too much time.
This attack can only be meaningfully mounted against nodes which are properly exposed on a public IP address (i.e. not firewalled, not NATed). Even then, it's a race against the node finding good peers fast enough, in which case the attack doesn't work any more.
There is no economic advantage in pulling this attack off, only causing sync annoyance. That said, there is currently a number of (at least 4 identified, maybe more) Parity nodes at 207.148.5.229, which are doing variations of this attack. It might be deliberate, or it might also be leftover nodes from some experiment that only have a few blocks on their chain and subsequently disabled sync. A bit unprobable.
Solution
This release repurposes the DAO challenge to do a checkpoint challenge based on the recently hard coded CHTs. It also makes the challenge stricter, in that while the node is doing a fast-sync, remote peers are not permitted to be synced below the checkpoint block. This should also help sync the chain faster, getting rid of stalling or useless peers.
Geth binaries and mobile libraries are available on the Geth download page.