« All posts

Hardening Kademlia DHT: Signing Alone Won't Stop Eclipse

A signed-record fix in py-libp2p blocks forged PeerRecords, but Kademlia routing stays exposed to Sybil/Eclipse attacks; S/Kademlia's disjoint lookup paths offer a practical fix.

A recent py-libp2p fix bound signed PeerRecords to their signer's identity, closing a record-forgery hole. But as a systems engineer pointed out, that patch leaves Kademlia's real weak spot untouched: eclipse and Sybil attacks don't require forging anything. Since libp2p peer IDs are derived directly from public keys, an attacker can mint thousands of valid IDs in seconds, keep the ones closest in XOR distance to a target key, and quietly take over honest nodes' routing tables — all while every message stays validly signed, sailing past the existing check.

The piece walks through the two countermeasures proposed by the S/Kademlia paper (Baumgart & Mies, 2007): proof-of-work-constrained peer IDs, and disjoint lookup paths. The first would require a spec-level change across every libp2p implementation, making it out of reach for a single library. The second, however, needs no protocol changes at all — it just restructures how lookups are run, splitting them into independent, non-overlapping search paths so an attacker must control proportionally more fake identities to eclipse a node.

A code review found that py-libp2p currently has only attack simulations, using fake string IDs that never touch the real routing table — no actual defense exists yet. The author outlines plans to add disjoint-path lookups to the core routing logic and subnet-diversity checks to k-buckets, which would mark the first real (non-simulated) eclipse mitigation in py-libp2p. rust-libp2p, by contrast, has shipped disjoint paths since 2020.