Hey Everyone,

A lot of pressure rides on AttemptToEvictConnection() because it is used to limit the impact of eclipsing attacks. With continued centralization, fair connection formation becomes a bigger concern. I am curious how other members of the community feel about the preferential treatment and odd comments found in AttemptToEvictConnection().  In short, the concern is that an adversary which intends on providing the useful service of data-arbitrage will have preferential treatment in the formation of the network.

https://github.com/bitcoin/bitcoin/blame/df2129a2349b1877049f250551f49a4592e73765/src/net.cpp#L946-L981

Line 948:
// An attacker cannot predict which netgroups will be protected  
-> 
Perhaps not, but the attacker can have more netgroups than node slots, this can be optimized for. Simply being in different places does not mean the nodes are honest or safe. This is probably a good check to have, but it should not say an "attacker cannot", as this is misleading.

Line 952:
// An attacker cannot manipulate this metric without physically moving nodes closer to the target.
 ->
Yes, that is exactly what the attacker will do. An attacker can run tcp-traceroute on the network to find where miners clump up, and run a malicious message-relay in a nearby datacenter. With a financial motive it is cheaper to run a low-cost message relay than a mining node.


Line 955:
// Protect 4 nodes that most recently sent us novel transactions accepted into our mempool. Add recently accepted blocks and txn to AttemptToEvictConnection.
// An attacker cannot manipulate this metric without performing useful work
.->
If an honest node sees an novel transaction from a new incoming connection, it will be less likely to remove it. A dishonest centralized-service can preemptively send novel-transactions as part of the handshake for new hosts, this will improve the odds of the connection staying open and cutting contact with an honest node.


line 962:
// Protect 4 nodes that most recently sent us novel blocks.
// An attacker cannot manipulate this metric without performing useful work.
->
This code has the assumption that an adversary will play by the rules. An attacker will manipluate this metric with the data-arbitrage of novel blocks. An attacker can move newly created blocks from the source (large mining pools) to all parts of the network which can be used to garner value within the connection pool of new hosts.


All of the above checks, except for the one starting on 948 is subject to a race condition. 

All the best,
Michael