Skip to content

Security: Limit the number of inbound peer connections in the listener task #1851

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#2961
Closed
Security: Limit the number of inbound peer connections in the listener task#1851
#2961
Assignees
teor2345
Labels
A-networkArea: Network protocol updates or fixesC-securityCategory: Security issuesI-remote-node-overloadZebra can overload other nodes on the network
Milestone
 
2021 Sprint 21
@teor2345

Description

@teor2345
teor2345
opened on Mar 5, 2021

Motivation

Zebra has no limit on the number of open inbound connections from other peers. This is a remote distributed denial of service risk, if an attacker can make other nodes connect to Zebra.

We're not currently seeing this attack on the network, but it might be easy for malicious nodes to trigger. So we should fix it soon.

Suggested Design

In accept_inbound_connections, limit the number of inbound connections to peerset_initial_target_size. This applies the connection limit as soon as Zebra gets control of the accepted connection from tokio.

peerset_initial_target_size is an existing zebra-network config. It's used to initialise the CandidateSet's outbound peer connection demand.

Edge Cases

Zebra should check and increase the connection limit as early as possible.

Zebra should drop any resources used by rejected connections as soon as possible.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

A-networkArea: Network protocol updates or fixesC-securityCategory: Security issuesI-remote-node-overloadZebra can overload other nodes on the network

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions