From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VAKfx-0000Ka-PX for bitcoin-development@lists.sourceforge.net; Fri, 16 Aug 2013 14:06:49 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.148.111 as permitted sender) client-ip=62.13.148.111; envelope-from=pete@petertodd.org; helo=outmail148111.authsmtp.net; Received: from outmail148111.authsmtp.net ([62.13.148.111]) by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1VAKfv-0003IE-VF for bitcoin-development@lists.sourceforge.net; Fri, 16 Aug 2013 14:06:49 +0000 Received: from mail-c226.authsmtp.com (mail-c226.authsmtp.com [62.13.128.226]) by punt8.authsmtp.com (8.14.2/8.14.2/Kp) with ESMTP id r7GE6fFh068876; Fri, 16 Aug 2013 15:06:41 +0100 (BST) Received: from petertodd.org (petertodd.org [174.129.28.249]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id r7GE6Zlo017367 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 16 Aug 2013 15:06:38 +0100 (BST) Date: Fri, 16 Aug 2013 10:06:35 -0400 From: Peter Todd To: "Warren Togami Jr." Message-ID: <20130816140635.GC16201@petertodd.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nmemrqcdn5VTmUEE" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: 1171e4e0-067d-11e3-98a9-0025907ec6c5 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aAdMdwQUGUATAgsB AmUbWlFeUFt7Wms7 ag1VcwRfa1RMVxto VEFWR1pVCwQmQxt2 cxh0DkZydgJFfnk+ YkBmXz5aXUN7IEIo QlNUE2pSeGZhPWMC WUgJfh5UcAFPdx9C PwN5B3ZDAzANdhES HhM4ODE3eDlSNilR RRkIIFQOdA4kFyA9 QV8ZVS0oBlFAH2Ni ZyABBnlUGEcKLgN0 dzMA X-Authentic-SMTP: 61633532353630.1020:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 174.129.28.249/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1VAKfv-0003IE-VF Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Gavin's post-0.9 TODO list... X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Aug 2013 14:06:50 -0000 --nmemrqcdn5VTmUEE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 16, 2013 at 03:41:54AM -1000, Warren Togami Jr. wrote: > https://togami.com/~warren/archive/2013/example-bitcoind-dos-mitigation-v= ia-iptables.txt > *Anti-DoS Low Hanging Fruit: source IP or subnet connection limits* > If you disallow the same IP and/or subnet from establishing too many TCP > connections with your node, it becomes more expensive for attackers to use > a single host exhaust a target node's resources. This iptables firewall > based example has almost zero drawbacks, but it is too complicated for mo= st > people to deploy. Yes, there is a small chance that you will block > legitimate connections, but there are plenty of other nodes for random > connections to choose from. Configurable per source IP and source subnet > limits with sane defaults enforced by bitcoind itself would be a big > improvement over the current situation where one host address can consume > limited resources of many target nodes. Have you looked into what it would take to just apply the IP diversity tests for outgoing connections to incoming connections? The code's already there... --=20 'peter'[:-1]@petertodd.org 0000000000000018dcf5bcc3f018a05517ba1c479b432ba422015d4506496e55 --nmemrqcdn5VTmUEE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlIOMesACgkQpEFN739thozscwCfX/oXHklYVnxH+Xk956AgG7HS XQwAmwWPcax9EDvaEP0C0gn1tNHvGrRs =VYr7 -----END PGP SIGNATURE----- --nmemrqcdn5VTmUEE--