Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit new peer connection rate #1847

Closed
3 tasks done
teor2345 opened this issue Mar 5, 2021 · 0 comments · Fixed by #1855
Closed
3 tasks done

Limit new peer connection rate #1847

teor2345 opened this issue Mar 5, 2021 · 0 comments · Fixed by #1855
Assignees
@yaahc
Labels
A-rust Area: Updates to Rust code C-bug Category: This is a bug C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage I-slow Problems with performance or responsiveness I-unbounded-growth Zebra keeps using resources, without any limit NU-5 Network Upgrade: NU5 specific tasks
Milestone
2021 Sprint 4

Comments

@teor2345
Copy link
Contributor

teor2345 commented Mar 5, 2021
edited by yaahc
Loading

Is your feature request related to a problem? Please describe.

Zebra doesn't limit its outbound connection rate. This is a distributed denial of service risk.

Describe the solution you'd like

  • Make CandidateSet.next() into an async function
  • Add a timer that yields 1 peer every 0.1 seconds
  • Update the docs on new_peer_interval so it's clear that it's the crawl interval, not the peer connection rate limit

Describe alternatives you've considered

This is a critical security issue, so we must do something.

We could limit the connection rate in crawl_and_dial, but that risks a DDoS in any other future users of CandidateSet.

Similarly, we could attempt to limit the connection rate in other parts of the network stack, but that risks future refactors or bugs causing a DDoS.

Additional context

zcashd does not have this issue.
@teor2345 teor2345 added C-bug Category: This is a bug A-rust Area: Updates to Rust code C-enhancement Category: This is an improvement S-needs-triage Status: A bug report needs triage NU-5 Network Upgrade: NU5 specific tasks P-Critical I-heavy Problems with excessive memory, disk, or CPU usage I-slow Problems with performance or responsiveness I-unbounded-growth Zebra keeps using resources, without any limit labels Mar 5, 2021
@teor2345 teor2345 added this to the 2021 Sprint 4 milestone Mar 5, 2021
@teor2345 teor2345 added C-security Category: Security issues and removed C-enhancement Category: This is an improvement labels Mar 5, 2021
@yaahc yaahc self-assigned this Mar 5, 2021
@yaahc yaahc mentioned this issue Mar 5, 2021
Merged
5 tasks
@mpguerra mpguerra removed the S-needs-triage Status: A bug report needs triage label Mar 8, 2021
This was referenced Mar 9, 2021
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yaahc yaahc

Labels
A-rust Area: Updates to Rust code C-bug Category: This is a bug C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage I-slow Problems with performance or responsiveness I-unbounded-growth Zebra keeps using resources, without any limit NU-5 Network Upgrade: NU5 specific tasks
Projects
None yet
Milestone
2021 Sprint 4
Development

Successfully merging a pull request may close this issue.

Implement outbound connection rate limiting - config rename with alias ZcashFoundation/zebra
3 participants
@mpguerra @yaahc @teor2345