-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Only limit resources per peer #9443
Conversation
Signed-off-by: Antonio Navarro Perez <antnavper@gmail.com>
have you ever heard of sybil attacks? |
@vyzo yes! Do you have any other proposals? People are having a hard time trying to configure ResourceManager at the System level. Any defaults that we set there will be wrong. The better thing that we can do is to have sane defaults for everyone, and that is in my opinion limiting as much as we can connections by peer. The ideal here will be to limit one connection per IP, but is a non-trivial thing to do. |
We should pick some highish defaults for system/transient at the very least, and let power users set those explicitly instead of trying to always autotune and hide it under the carpet. |
Point being that without a system/transient limit you are not protecting from DoS attacks; all the attacker has to do is cycle through a bunch of sybils. |
Can you define highish? for whom? Power users can still set limits explicitly. Right now with system/transient limits, you are keeping the node alive, but mostly unusable. That is what we want? |
It is not unusable, it just can't accept new incoming connections and it can still use existing connections and open new ones. |
I'm eager to set here sane defaults for system and transient limits but:
My point is that there are no sane defaults for system and transient limits, only for peer limits. |
just take half the available memory and the fd limit for incoming limits. Much better if they cry about logs than crashing. |
Re: powerful nodes -> power users, they can configure things. I think you are approaching this issue in the wrong direction. |
Hi @ajnavarro , In general bounding at the peer scope by itself is not enough to protect against DoS attacks since it's trivial to create lots of peers (as discussed in the comments). That said, we still are bounding by the amount of memory that go-libp2p will use, and even with you're proposed change, we we won't OOM because we cap I agree it's hard to pick defaults, but I think we can likely do better here... Why am I even trying to pick better defaults?Yes we need to protect against OOM. That said, if we don't bound incoming connections and streams, we are still vulnerable to CPU exhaustion processing these connections and streams. I don't know how much CPU is spent managing a connection or stream, but I know it's not free. ProposalWith Kubo 0.17 we set the default memory that is used to calculate go-libp2p resource limits to I think we just set the default memory for go-libp2p too low by default. What about instead of The other option here is to not use SummaryBefore we fallback to disabling
by default, I'd like to see if we can thread the needle here. I think one of the ways is to suggest to folks in #9432 that are having issues to set (Also, even if we were to go with PR, it would need to include doc updates to https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmresourcemgr ) |
Given that there is no agreement I decided to close the PR. I totally understand your reasoning about why we should have limits at the system level, but I still believe that any default value that we set at that level, will be wrong in most cases. I'll open a new PR changing default memory values to TOTAL_MEMORY/2 hoping users will have fewer problems with RM. |
Thanks @ajnavarro
Can we please test this hypothesis by asking the vocal parties in #9432 to set |
@BigLep added a comment asking that #9432 (comment) |
We are removing system and transient limits by default when ResourceManager is active. We will never be able to define sane defaults for all the cases, and RM is difficult to configure for most users.
Limiting resources per peer is enough to avoid a DoS attack.
Logs are changed to Warn level. Example:
Signed-off-by: Antonio Navarro Perez antnavper@gmail.com