Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Limit the number of initial connection attempts to seed peers #2900

Closed
Tracked by #2867
teor2345 opened this issue Oct 18, 2021 · 0 comments · Fixed by #2913
Closed
Tracked by #2867

Security: Limit the number of initial connection attempts to seed peers #2900

teor2345 opened this issue Oct 18, 2021 · 0 comments · Fixed by #2913
Assignees
@oxarbitrage
Labels
A-network Area: Network protocol updates or fixes C-security Category: Security issues I-remote-node-overload Zebra can overload other nodes on the network
Milestone
2021 Sprint 21

Comments

@teor2345
Copy link
Contributor

teor2345 commented Oct 18, 2021
edited
Loading

Motivation

Sometimes, Zebra can get over a hundred IP addresses from the DNS seeders.
Then Zebra attempts to connect to each of these IP addresses.

If Zebra gets caught in a restart loop, this is a denial of service risk.

This might also fix bugs like #2905, if the hang happens because a channel is full.

Suggested Design

Limit the number of initial seed IP addresses to peerset_initial_target_size in add_initial_peers. This applies the rate limit before Zebra does any work.

peerset_initial_target_size is an existing zebra-network config. It's used to initialise the CandidateSet's outbound peer connection demand.

Edge Cases

The limit shouldn't favour IPv4 or IPv6 addresses.

We should impose the limit before we connect to any peers. That way, we do as little work as possible on dropped addresses.

Rejected Alternatives

We could use the channel mechanism from #2904, but it's more complicated. It might also be more fragile while Zebra is starting up, because some channels block until Zebra has done its first crawl.

Related Work

These tickets modify the same functions as this ticket:
@teor2345 teor2345 added C-bug Category: This is a bug A-rust Area: Updates to Rust code S-needs-triage Status: A bug report needs triage P-High C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage I-slow Problems with performance or responsiveness I-remote-node-overload Zebra can overload other nodes on the network labels Oct 18, 2021
@teor2345 teor2345 added this to the 2021 Sprint 21 milestone Oct 18, 2021
@mpguerra mpguerra mentioned this issue Oct 18, 2021
Closed
24 tasks
This was referenced Oct 18, 2021
Closed
Closed
@teor2345 teor2345 changed the title Security: Limit the number of initial connection attempts to DNS seed peers Security: Limit the number of initial connection attempts to seed peers Oct 19, 2021
@teor2345 teor2345 mentioned this issue Oct 19, 2021
Closed
@teor2345 teor2345 added A-network Area: Network protocol updates or fixes and removed I-heavy Problems with excessive memory, disk, or CPU usage I-slow Problems with performance or responsiveness C-bug Category: This is a bug A-rust Area: Updates to Rust code labels Oct 19, 2021
@oxarbitrage oxarbitrage self-assigned this Oct 19, 2021
@oxarbitrage oxarbitrage mentioned this issue Oct 20, 2021
Merged
@teor2345 teor2345 mentioned this issue Oct 21, 2021
Closed
@mpguerra mpguerra removed the S-needs-triage Status: A bug report needs triage label Oct 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oxarbitrage oxarbitrage

Labels
A-network Area: Network protocol updates or fixes C-security Category: Security issues I-remote-node-overload Zebra can overload other nodes on the network
Projects
None yet
Milestone
2021 Sprint 21
Development

Successfully merging a pull request may close this issue.

Limit the number of initial peers oxarbitrage/zebra
3 participants
@mpguerra @teor2345 @oxarbitrage