RPC does not rate limit egress traffic

[leoluk]

Problem

An attacker can repeatedly download a snapshot or genesis.tar.bz2 from a validator that has an open RPC port. The Rust web server is highly efficient at serving static files and will happily make use of all of a node's egress bandwidth.

In a high tps network, this could impact cluster performance. In any case, it would result in high egress bandwidth costs and almost zero costs for the attacker since ingress is typically free.

Proposed Solution

• Rate limit RPC egress to a harmless amount that will not interfere with turbine.
• Perhaps configure RPC not to serve static files by default?
• In a production cluster, the set of --trusted-validators would probably want to serve genesis/snapshots from a bandwidth-efficient CDN.
• Ship with QoS config.

[mvines]

cc: #5778

I see this as mostly an issue for the --trusted-validators set. Most nodes have no business enabling public RPC (given the current implementation) but a trusted validator explicitly does enable RPC for others and is thus a prime DoS target