DoS protection: Weighted random drop of txs if mempool full

[Eirik0]

No description provided.

[daira]

I didn't do a full review, but this looks to be along the right lines.

[Eirik0]

This is the implementation for zcash/zips#275

[Eirik0]

I rewrote the representation of the collection of transactions/weights because I was concerned about performance when removing transactions from the mempool. In the first iteration we rebuild the complete list of weighted transactions each time a transaction was removed from the mempool. Now, we store the transactions in a tree and are able to add and remove transactions from the collection in logarithmic time.

I also did some more cleanup and rebased on to master now that #4060 has been merged.

[zebambam]

I don't understand some of the locking and also the considerations that go into the RecentlyEvictedList constants. Would be great if we can talk about those so that I can give this a better review.

[zebambam]

So.. we just overwrite anything existing in there? This seems like someone could fill up the RecentlyEvictedList with permutations of (malleable) transactions and we still end up in DoS. What have I missed?

[ebfull]

Note that the RecentlyEvictedList is not intended to mitigate intentional DoS.

[str4d]

It's a ring buffer, so by design it eventually overwrites itself if it is being filled more quickly than the entries expire. RecentlyEvictedList clearly can't be an unbounded buffer, or it would itself be a DoS vector. The question is how large the buffer's bound should be.

[Eirik0]

We could make the size of the recently evicted list configurable, but I am not sure about how beneficial that would be.

[zebambam]

I don't understand the considerations that went into this figure.

[daira]

They're described in the draft ZIP.

[ebfull]

Just did a brief first pass...

I think there need to be more comments explaining the purpose of each piece of the API and the algorithms. As it stands I have to reverse engineer the intentions behind much of the code and understand each edge case you are addressing.

[ebfull]

This should never happen anyway, right?

[Eirik0]

In testing I found that this does actually happen - somewhere remove is being called on transactions that have already been removed. I did not research where or why, but as it stands this is necessary.

[daira]

Please file a ticket to investigate this.

[Eirik0]

I created #4159, but I question how much time it is worth spending on this.

[ebfull]

Should these instead be folded into RecursiveDynamicUsage?

[str4d]

Yes, they should be (this is another example of inherited logic we've not fully integrated Zcash changes into).

Also, JOINSPLIT_SIZE now depends on the network upgrade level (which means that we computing it, we should amend the computation to trigger the post-Sapling serialization logic in the same way we amend the logic in the transaction serialization itself).

[Eirik0]

Should this be fixed as part of this issue, or can it be done as follow up?

[Eirik0]

If we did this as follow up, we could also incorporate this in to z_mergetoaddress which does its own tx size estimation.

[str4d]

Yes, they should be (this is another example of inherited logic we've not fully integrated Zcash changes into).

Also, JOINSPLIT_SIZE now depends on the network upgrade level (which means that we computing it, we should amend the computation to trigger the post-Sapling serialization logic in the same way we amend the logic in the transaction serialization itself).

[str4d]

It's a ring buffer, so by design it eventually overwrites itself if it is being filled more quickly than the entries expire. RecentlyEvictedList clearly can't be an unbounded buffer, or it would itself be a DoS vector. The question is how large the buffer's bound should be.

[daira]

reACK modulo some minor comments, and the issue about parameter names relative to the ZIP. Nice doc improvements.

[Eirik0]

@zkbot try

[zkbot]

⌛ Trying commit e744cec with merge 5c0b3a6...

[zkbot]

💔 Test failed - pr-try

[Eirik0]

Intermittent failures.

[LarryRuane]

Sorry, but I think the old way is better, because, as Eirik suspected, . does seem to have a special meaning at least in Bitcoin:
https://github.com/bitcoin/bitcoin/blob/b6e34afe9735faf97d6be7a90fafd33ec18c0cbb/src/util/system.cpp#L291
https://github.com/bitcoin/bitcoin/blob/b6e34afe9735faf97d6be7a90fafd33ec18c0cbb/src/util/system.cpp#L439
https://github.com/bitcoin/bitcoin/blob/b6e34afe9735faf97d6be7a90fafd33ec18c0cbb/src/util/system.cpp#L827

I think this relates to "sections" of the configuration file. We haven't merged that yet, but we could someday.

[Eirik0]

I removed the . and _.

[Eirik0]

@zkbot r+

[zkbot]

📌 Commit 40a7156 has been approved by Eirik0

[zkbot]

⌛ Testing commit 40a7156 with merge 0b0c724cde98061fe98ab5acf543f9dcef0d45cb...

[zkbot]

💔 Test failed - pr-merge

[Eirik0]

Passed on some workers but not others, looks like transient failures.

Running 310 test cases...
0%   10   20   30   40   50   60   70   80   90   100%
|----|----|----|----|----|----|----|----|----|----|
***************************�[0;39;49
m************
********test/rpc_wallet_tests.cpp(294): error: in "rpc_wallet_tests/rpc_wallet": unexpected exception thrown by CallRPC("getblock 0")
test/rpc_wallet_tests.cpp(295): error: in "rpc_wallet_tests/rpc_wallet": unexpected exception thrown by CallRPC("getblock 0 0")
test/rpc_wallet_tests.cpp(296): error: in "rpc_wallet_tests/rpc_wallet": unexpected exception thrown by CallRPC("getblock 0 1")
test/rpc_wallet_tests.cpp(297): error: in "rpc_wallet_tests/rpc_wallet": unexpected exception thrown by CallRPC("getblock 0 2")
****
*** 4 failures are detected in the test module "Bitcoin Test Suite"

I am less familiar with the above transient failure, but those tests pass for me locally.

[Eirik0]

@zkbot retry

[zkbot]

⌛ Testing commit 40a7156 with merge fffd5da...

[zkbot]

☀️ Test successful - pr-merge
Approved by: Eirik0
Pushing fffd5da to master...

[rex4539]

Merging this broke the compilation on macOS #4164