Merge upstream anti DoS patches

[bitcartel]

At the time of writing, testnet is at block 4109 but the alpha node is handing out many peers who continuously advertise a block height of 1337 and are not synced. The result is that genuine nodes receiving these peers are unable to join the network.

    {
        "id" : 9,
        "addr" : "x.x.x.x:18233",
        "addrlocal" : "x.x.x.x:55684",
        "services" : "0000000000000001",
        "lastsend" : 1471152190,
        "lastrecv" : 1471152189,
        "bytessent" : 1719575,
        "bytesrecv" : 947,
        "conntime" : 1471152188,
        "timeoffset" : -1,
        "pingtime" : 0.00000000,
        "pingwait" : 31.86533400,
        "version" : 170002,
        "subver" : "/Satoshi:0.11.2/",
        "inbound" : false,
        "startingheight" : 1337,
        "banscore" : 0,
        "synced_headers" : -1,
        "synced_blocks" : -1,
        "inflight" : [
        ],
        "whitelisted" : false
    },

Upstream improvements should be identified and where possible merged. For example "Connection slot exhaustion DoS mitigation" bitcoin/bitcoin#6374

[defuse]

This is related to #630. The way we bootstrap the network needs to be checked for DoS vulnerabilities.

[defuse]

I don't know the details, but I'm hoping the DoS against the testnet is only because we're not doing bootstrapping (#630) properly. When we launch, hopefully the bootstrapping system will prevent issues like this.

I went to the upstream GitHub repo, searched for "DoS" in Pull Requests, then clicked the "closed" tab, and of the merged ones before I started seeing stuff in the 0.10.0 milestone, and who were merged after 2015-11-10 (the date of the v0.11.2 tag), these seem relevant:

• Prevent peer flooding inv request queue (redux) (redux) bitcoin/bitcoin#7079
• net: correctly initialize nMinPingUsecTime bitcoin/bitcoin#6636 (this fixes a bug in "Connection slot exhaustion DoS mitigation")
• Introduce -maxuploadtarget bitcoin/bitcoin#6622
• Connection slot exhaustion DoS mitigation bitcoin/bitcoin#6374 (the one Simon suggested above)
• Limit message sizes before receiving. bitcoin/bitcoin#5843
• Be stricter in processing unrequested blocks bitcoin/bitcoin#5875
• [REST] remove json input for getutxos, limit to query max. 15 outpoints bitcoin/bitcoin#6193
• Limit mempool by throwing away the cheapest txn and setting min relay fee to it bitcoin/bitcoin#6722
• Policy: Lower default limits for tx chains bitcoin/bitcoin#6771
• Test LowS in standardness, removes nuisance malleability vector. bitcoin/bitcoin#6769
• Recent rejects backport to v0.11 bitcoin/bitcoin#6750
• Prevent fingerprinting, disk-DoS with compact blocks bitcoin/bitcoin#8408
• Treat high-sigop transactions as larger rather than rejecting them bitcoin/bitcoin#8365
• Fix mempool DoS vulnerability from malleated transactions bitcoin/bitcoin#8312
• Improve handling of unconnecting headers bitcoin/bitcoin#8305
• Disable the mempool P2P command when bloom filters disabled bitcoin/bitcoin#8078
• Use SipHash-2-4 for various non-cryptographic hashes bitcoin/bitcoin#8020
• Fix and improve relay from whitelisted peers bitcoin/bitcoin#7106

I'll go through that list again and remove irrelevant ones.

[defuse]

Here are the ones we might want for 1.0. Backporting them will be a lot of work so let's only backport the ones that will help with actual attacks we're experiencing?

• Prevent peer flooding inv request queue (redux) (redux) bitcoin/bitcoin#7079
• net: correctly initialize nMinPingUsecTime bitcoin/bitcoin#6636 fix for 6374
• Connection slot exhaustion DoS mitigation bitcoin/bitcoin#6374 Connection slot exhaustion DoS mitigation
• Limit message sizes before receiving. bitcoin/bitcoin#5843
• Be stricter in processing unrequested blocks bitcoin/bitcoin#5875
• [REST] remove json input for getutxos, limit to query max. 15 outpoints bitcoin/bitcoin#6193
• Limit mempool by throwing away the cheapest txn and setting min relay fee to it bitcoin/bitcoin#6722
• Policy: Lower default limits for tx chains bitcoin/bitcoin#6771
• Recent rejects backport to v0.11 bitcoin/bitcoin#6750
• Disable the mempool P2P command when bloom filters disabled bitcoin/bitcoin#8078
• Use SipHash-2-4 for various non-cryptographic hashes bitcoin/bitcoin#8020
• Fix and improve relay from whitelisted peers bitcoin/bitcoin#7106

[defuse]

For this ticket I'll bring in 6374 and 6636, since they're the only ones relevant to the way our testnet is currently being DoSed.

[defuse]

Unless someone objects, let's not bother looking at the PRs in #1251 (comment) right now, and let's just let #1258 close this issue.

[daira]

I looked at them; some of them are possibly controversial and/or complicated, and definitely should not be in z9. But let's make sure that we keep track of them, since if I were an attacker, the next place I'd look for potential DoS attacks is things that have been fixed in Bitcoin.

[defuse]

In our (@bitcartel and I) pairing we determined we should take a second look at 7079, 5843, 6193, 6192, 7106 before 1.0.

[defuse]

Ping @nathan-at-least to double-check the prioritization of this.

[bitcartel]

5843 (we already have), 6192 and 6193 (related to REST interface which we do not recommend to be enabled) and:
7106 - PR #1411
7079 - PR #1407

[str4d]

#1407 and #1411 have been merged, which means we now have the following patches:

• 5843
• 6374 and 6636
• 7079
• 7106

This leaves the following from #1251 (comment):

• Be stricter in processing unrequested blocks bitcoin/bitcoin#5875
• [REST] remove json input for getutxos, limit to query max. 15 outpoints bitcoin/bitcoin#6193
• Limit mempool by throwing away the cheapest txn and setting min relay fee to it bitcoin/bitcoin#6722
• Recent rejects backport to v0.11 bitcoin/bitcoin#6750
• Policy: Lower default limits for tx chains bitcoin/bitcoin#6771
• Use SipHash-2-4 for various non-cryptographic hashes bitcoin/bitcoin#8020
• Disable the mempool P2P command when bloom filters disabled bitcoin/bitcoin#8078

[defuse]

See: #1574

[bitcartel]

This ticket should be closed once #1574 lands, even though the nature of the ticket is open-ended.

[daira]

#1574 is being bumped to rc3.

[nathan-at-least]

Bumped from 1.0.9.

Before merging more from upstream, we need to ensure we understand and follow their own QA standards, and I suspect we will want stricter standards if feasible.