Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Connection slot exhaustion DoS mitigation #6374
Connection slots are a limited resource which can be the target of DoS attacks.
This issue was introduced in 2011 by 5a3e82f.
In mitigating this issue it is important to take steps to avoid network partitioning.
I have taken the approach of protecting connections with various properties from eviction.
Of the nodes still available for eviction the most recently connected node from the CNetAddr with the most connections is selected and evicted.
The largest class of protected connections is those which have been connected for the longest time.
@laanwj Missed the second part of your comment.
This wont ever evict localhost connections, so inbound connections to a hidden service wont ever be disconnected by this.
That's actually not optimal, but unfortunately getting info on inbound hidden service connections requires interfacing with tors control port.
That's definitely out of scope for this patch set.
Concept ACK. I think that calling AddRef/Release without holding cs_vNodes should not be done.
I think the biases can be improved still - for example by computing a score per node based on ping time, and then penalizing the scores of nodes from the same netgroup if there are multiple. But that can be done later.