Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Track the number of open connections in Zebra #2903

Closed
Tracked by #2867
teor2345 opened this issue Oct 19, 2021 · 0 comments · Fixed by #2912
Closed
Tracked by #2867

Security: Track the number of open connections in Zebra #2903

teor2345 opened this issue Oct 19, 2021 · 0 comments · Fixed by #2912
Assignees
@teor2345
Labels
A-network Area: Network protocol updates or fixes C-security Category: Security issues I-remote-node-overload Zebra can overload other nodes on the network
Milestone
2021 Sprint 21

Comments

@teor2345
Copy link
Contributor

teor2345 commented Oct 19, 2021
edited
Loading

Motivation

To limit the number of connections in Zebra, we need to be able to track how many open connections there are.

Suggested Design

  1. In zebra_network::init, create:

    • a variable that tracks the number of open connections
    • a mpsc channel that gets a signal when a Connection is dropped

  2. Get the channel from zebra_network::init to each Connection

  3. In Connection, send a signal on the channel when each connection is dropped.

Edge Cases

Zebra should check and increase the connection limit as early as possible, before it uses any resources for the connection.

Zebra should send the drop signal as late as possible, after it has dropped everything else that's used by the connection.

Rejected Alternatives

We could limit the number of AddressBook peers in the Responded state. But this doesn't work for inbound connections, because some PeerSet addresses aren't stored in the address book. (Including the null address, and addresses from peers that don't advertise the NODE service bit.)

We could limit the number of PeerSet inbound and outbound peers peers in the Responded state. But there could be a significant delay between PeerSet peers getting dropped, and the corresponding Connection getting dropped. (We can't be sure that the generic is an owned Connection. And the tasks and channels might be slow under load.)
@teor2345 teor2345 added C-enhancement Category: This is an improvement S-needs-triage Status: A bug report needs triage A-network Area: Network protocol updates or fixes C-security Category: Security issues I-remote-node-overload Zebra can overload other nodes on the network P-High and removed C-enhancement Category: This is an improvement labels Oct 19, 2021
@teor2345 teor2345 added this to the 2021 Sprint 21 milestone Oct 19, 2021
This was referenced Oct 19, 2021
Closed
Closed
@teor2345 teor2345 self-assigned this Oct 19, 2021
@teor2345 teor2345 mentioned this issue Oct 20, 2021
Merged
4 tasks
@mpguerra mpguerra removed the S-needs-triage Status: A bug report needs triage label Oct 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@teor2345 teor2345

Labels
A-network Area: Network protocol updates or fixes C-security Category: Security issues I-remote-node-overload Zebra can overload other nodes on the network
Projects
None yet
Milestone
2021 Sprint 21
Development

Successfully merging a pull request may close this issue.

Track the number of active inbound and outbound peer connections ZcashFoundation/zebra
2 participants
@mpguerra @teor2345