-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Limit the number of outbound peer connections when dialing new peers #1850
Closed
Tracked by
#2867
Labels
A-network
Area: Network protocol updates or fixes
C-security
Category: Security issues
I-remote-node-overload
Zebra can overload other nodes on the network
Milestone
Comments
teor2345
added
C-bug
Category: This is a bug
A-rust
Area: Updates to Rust code
S-needs-triage
Status: A bug report needs triage
NU-5
Network Upgrade: NU5 specific tasks
P-High
C-security
Category: Security issues
I-heavy
Problems with excessive memory, disk, or CPU usage
I-slow
Problems with performance or responsiveness
I-unbounded-growth
Zebra keeps using resources, without any limit
labels
Mar 5, 2021
3 tasks
teor2345
changed the title
Limit the number of open connections in zebra-network
Limit the number of active peers in zebra-network
Mar 5, 2021
This was referenced Mar 5, 2021
6 tasks
teor2345
added
I-remote-node-overload
Zebra can overload other nodes on the network
P-Critical
and removed
P-High
labels
Mar 16, 2021
teor2345
modified the milestones:
2021 Sprint 6,
2021 Sprint 7,
2021 Sprint 8 - NU5 Testnet Activation
Mar 24, 2021
This was referenced Apr 13, 2021
We can fix this issue after the mempool works |
teor2345
added
A-network
Area: Network protocol updates or fixes
and removed
C-bug
Category: This is a bug
A-rust
Area: Updates to Rust code
NU-5
Network Upgrade: NU5 specific tasks
I-heavy
Problems with excessive memory, disk, or CPU usage
I-slow
Problems with performance or responsiveness
I-unbounded-growth
Zebra keeps using resources, without any limit
labels
Oct 19, 2021
This was referenced Oct 19, 2021
This was referenced Oct 20, 2021
6 tasks
mpguerra
added a commit
that referenced
this issue
May 19, 2023
mergify bot
pushed a commit
that referenced
this issue
May 23, 2023
* ZIPs were updated to remove ambiguity, this was tracked in #1267. * #2105 was fixed by #3039 and #2379 was closed by #3069 * #2230 was a duplicate of #2231 which was closed by #2511 * #3235 was obsoleted by #2156 which was fixed by #3505 * #1850 was fixed by #2944, #1851 was fixed by #2961 and #2902 was fixed by #2969 * We migrated to Rust 2021 edition in Jan 2022 with #3332 * #1631 was closed as not needed * #338 was fixed by #3040 and #1162 was fixed by #3067 * #2079 was fixed by #2445 * #4794 was fixed by #6122 * #1678 stopped being an issue * #3151 was fixed by #3934 * #3204 was closed as not needed * #1213 was fixed by #4586 * #1774 was closed as not needed * #4633 was closed as not needed * Clarify behaviour of difficulty spacing Co-authored-by: teor <teor@riseup.net> * Update comment to reflect implemented behaviour Co-authored-by: teor <teor@riseup.net> * Update comment to reflect implemented behaviour when retrying block downloads Co-authored-by: teor <teor@riseup.net> * Update `TODO` to remove closed issue and clarify when we might want to fix Co-authored-by: teor <teor@riseup.net> * Update `TODO` to remove closed issue and clarify what we might want to change in future Co-authored-by: teor <teor@riseup.net> * Clarify benefits of how we do block verification Co-authored-by: teor <teor@riseup.net> * Fix rustfmt errors --------- Co-authored-by: teor <teor@riseup.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
A-network
Area: Network protocol updates or fixes
C-security
Category: Security issues
I-remote-node-overload
Zebra can overload other nodes on the network
Motivation
Zebra has no limit on the number of open outbound connections. This is a remote distributed denial of service risk.
We're not currently seeing this attack on the network, but it might be easy for malicious nodes to trigger. So we should fix it soon.
Suggested Design
In
crawl_and_dial
, limit the number of outbound connections.peerset_initial_target_size
is an existingzebra-network
config. It's used to initialise theCandidateSet
's outbound peer connection demand.Edge Cases
Zebra should check and increase the connection limit as early as possible, before it uses any resources for the connection.
If a connection fails, the dialer puts the demand signal back in the demand channel. But if we do that when we're over the limit, we could cause an infinite busy-loop or deadlock.
We want Zebra to have more outbound than inbound connections, so we'll want to make the outbound limit slightly bigger than
peerset_initial_target_size
. We also want to avoid reaching this limit with just the initial seed peers.The text was updated successfully, but these errors were encountered: