8000 Research libp2p DDoS attack mitigation · Issue #538 · ObolNetwork/charon · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Research libp2p DDoS attack mitigation #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
corverroos opened this issue May 15, 2022 · 1 comment
Open

Research libp2p DDoS attack mitigation #538

corverroos opened this issue May 15, 2022 · 1 comment
Labels
protocol Protocol Team tickets security

Comments

@corverroos
Copy link
Contributor

Problem to be solved

Charon nodes in a cluster communicate via libp2p. There are multiple libp2p protocols inside charon (dkg/qbft/ping/parsigex). A Byzantine node can DDoS other nodes by spamming them with valid (or invalid) connections and messages, causing OOM and or CPU problems.

DDoS can happen on the following resources:

  • Number of libp2p connections
  • Number of messages per connection
  • Size of messages

This is however a common problem, so there might be existing solutions to the problem.

Proposed solution

  • Research different ways to mitigate DDoS attacks (by Byzantine cluster peers).
  • Look at libp2p connmgr.ConnManager to limit connections
  • Look at libp2p network.ResourceManager to limit memory, streams, connections, and file descriptors
  • Look at something like for bandwith throttling: https://github.com/corverroos/rateconn
  • Look at custom message rate limiters and custom message size rate limiters (both detecting and then throttling)

Write a document with findings and recommendations.

Out of Scope

Nothing needs to be implemented yet.
@corverroos corverroos added question Further information is requested Let's discuss labels May 15, 2022
@thomasheremans thomasheremans added the protocol Protocol Team tickets label Jan 23, 2023
@corverroos
Copy link
Contributor Author

Note that one way to attack peers is to send future duties over libp2p protocols. We drop expired duties, but we do not have a "max future duty" limit or logic yet. So this could be used to spam and overload memory.

@KaloyanTanev KaloyanTanev added security and removed question Further information is requested Let's discuss next-sprint-candidate labels Apr 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
protocol Protocol Team tickets security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KaloyanTanev @corverroos @boulder225 @thomasheremans
0