RPC rate limitting #3136
Comments
|
To do this we need to modify go-jsonrpc |
|
Potentially. I presumed we can do this through some form of middleware, the same way auth is working. |
|
Adding some relevent context, we have a single "middleware" for auth, viewable here celestia-node/api/rpc/server.go Line 45 in 7ea607b if we WERE to implement this, it'd be an opportunity to apply some common go http server middleware pattern for this, as, like with children, going from 1 -> 2 middleware, probably means at least 1 more will come along. That said, i am not 100% sure this should be a concern of the node, and more a safeguard a node runner / infra operator would implement in their deployment and however it is deployed. Implementing this implies operational availability is a concern of celestia protocol developers, which i think it is not I think the real solution here, would be to implement resource management for various parts of the protocol implementation, ie: storage etc, NOT to introduce a request rate limiter at RPC. @Wondertan i'd be curious to discuss this with you. |
|
Hello @Wondertan @walldiss @renaynay can we take this issue? |
|
We haven't agreed on how to approach this, but if we would implement this in the node, then you would need to look at go-jsonrpc library we are using to see how you can integrate the rate-limiting middleware. I believe its worth a try |
After deep discussions with @jbowen93 about #3129, the Astria team figured that there was a bug on their side, causing LNs to be spammed with ~1k req/s, subsequently causing RAM grow. This prompts the question about limiting the number of RPC requests.
To avoid similar issues in the future and unlimited growth of RAM because of malicious or faulty software, we should introduce request rate limiting on our RPC server.
The rate limit should be configurable with 10req/s as default, which would be more than enough for node usage patterns(e.g., a blob per 12s block).
The text was updated successfully, but these errors were encountered: