server: add additional peer banning checks.

This updates various peer handler methods to enforce additional peer banning checks. - OnGetMiningState: a decaying ban score has been added for repeated messages from the same peer. - OnGetInitState: a decaying ban score has been added for repeated messages from the same peer. - OnGetBlocks: increment ban score for known inventory from peer. - OnGetAddr: a decaying ban score has been added for repeated messages from the same peer.
decred · Nov 5, 2021 · 05cbf79 · 05cbf79
1 parent d0171d7
commit 05cbf79
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/server.go b/server.go
@@ -827,6 +827,7 @@ func (sp *serverPeer) pushMiningStateMsg(height uint32, blockHashes []chainhash.
 // mined on and pushes a miningstate wire message back to the requesting peer.
 func (sp *serverPeer) OnGetMiningState(p *peer.Peer, msg *wire.MsgGetMiningState) {
 	if sp.getMiningStateSent {
+		_ = sp.banManager.AddBanScore(p, 0, 25, "repeated mining state request")
 		peerLog.Tracef("Ignoring getminingstate from %v - already sent", sp.Peer)
 		return
 	}
@@ -905,6 +906,7 @@ func (sp *serverPeer) OnMiningState(p *peer.Peer, msg *wire.MsgMiningState) {
 // It sends the available requested info to the remote peer.
 func (sp *serverPeer) OnGetInitState(p *peer.Peer, msg *wire.MsgGetInitState) {
 	if sp.initStateSent {
+		_ = sp.banManager.AddBanScore(p, 0, 25, "repeated init state request")
 		peerLog.Tracef("Ignoring getinitstate from %v - already sent", sp.Peer)
 		return
 	}
@@ -937,6 +939,8 @@ func (sp *serverPeer) OnGetInitState(p *peer.Peer, msg *wire.MsgGetInitState) {
 		// parent of the current tip.
 		children, err := sp.server.chain.TipGeneration()
 		if err != nil {
+			// revert the preemptive init state flag for the peer on an error.
+			sp.initStateSent = false
 			peerLog.Warnf("Failed to access sync manager to get the generation "+
 				"for a init state request (block: %v): %v", best.Hash, err)
 			return
@@ -1202,7 +1206,7 @@ func (sp *serverPeer) OnGetBlocks(p *peer.Peer, msg *wire.MsgGetBlocks) {
 	for i := range hashList {
 		iv := wire.NewInvVect(wire.InvTypeBlock, &hashList[i])
 		if sp.IsKnownInventory(iv) {
-			// TODO: Increase ban score
+			_ = sp.banManager.AddBanScore(p, 10, 0, "known inventory")
 			continue
 		}
 		invMsg.AddInvVect(iv)
@@ -1348,6 +1352,7 @@ func (sp *serverPeer) OnGetAddr(p *peer.Peer, msg *wire.MsgGetAddr) {
 	// Only respond with addresses once per connection.  This helps reduce
 	// traffic and further reduces fingerprinting attacks.
 	if sp.addrsSent {
+		_ = sp.banManager.AddBanScore(p, 0, 25, "repeated get address request")
 		peerLog.Tracef("Ignoring getaddr from %v - already sent", sp.Peer)
 		return
 	}