Peter Todd [ARCHIVE] on Nostr: š Original date posted:2013-08-16 š Original message:On Fri, Aug 16, 2013 at ...
š
Original date posted:2013-08-16
š Original message:On Fri, Aug 16, 2013 at 03:41:54AM -1000, Warren Togami Jr. wrote:
> https://togami.com/~warren/archive/2013/example-bitcoind-dos-mitigation-via-iptables.txt
> *Anti-DoS Low Hanging Fruit: source IP or subnet connection limits*
> If you disallow the same IP and/or subnet from establishing too many TCP
> connections with your node, it becomes more expensive for attackers to use
> a single host exhaust a target node's resources. This iptables firewall
> based example has almost zero drawbacks, but it is too complicated for most
> people to deploy. Yes, there is a small chance that you will block
> legitimate connections, but there are plenty of other nodes for random
> connections to choose from. Configurable per source IP and source subnet
> limits with sane defaults enforced by bitcoind itself would be a big
> improvement over the current situation where one host address can consume
> limited resources of many target nodes.
Have you looked into what it would take to just apply the IP diversity
tests for outgoing connections to incoming connections? The code's
already there...
--
'peter'[:-1]@petertodd.org
0000000000000018dcf5bcc3f018a05517ba1c479b432ba422015d4506496e55
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130816/677730d8/attachment.sig>
š Original message:On Fri, Aug 16, 2013 at 03:41:54AM -1000, Warren Togami Jr. wrote:
> https://togami.com/~warren/archive/2013/example-bitcoind-dos-mitigation-via-iptables.txt
> *Anti-DoS Low Hanging Fruit: source IP or subnet connection limits*
> If you disallow the same IP and/or subnet from establishing too many TCP
> connections with your node, it becomes more expensive for attackers to use
> a single host exhaust a target node's resources. This iptables firewall
> based example has almost zero drawbacks, but it is too complicated for most
> people to deploy. Yes, there is a small chance that you will block
> legitimate connections, but there are plenty of other nodes for random
> connections to choose from. Configurable per source IP and source subnet
> limits with sane defaults enforced by bitcoind itself would be a big
> improvement over the current situation where one host address can consume
> limited resources of many target nodes.
Have you looked into what it would take to just apply the IP diversity
tests for outgoing connections to incoming connections? The code's
already there...
--
'peter'[:-1]@petertodd.org
0000000000000018dcf5bcc3f018a05517ba1c479b432ba422015d4506496e55
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130816/677730d8/attachment.sig>