Jormungandr: Denial-of-Service-like behavior detected by router hampers connections

Created on 23 Oct 2019  路  2Comments  路  Source: input-output-hk/jormungandr

Bug description
I have been testing since 0.5.5. Initial bootstrap always works fine for all versions tested.
However, after that, blockRecvCnt does not increase or increases in infrequent (30min to 1day) bursts.
I have finally pinpointed the cause for my particular case: my router has a DoS protection option which claims to protect from 1) SYN-flooding, 2) Port-scanning and 3) Ping-of-Death (source: https://www.asus.com/support/FAQ/1031610). Once I disable this DoS protection, I finally get regular block updates (occasional stops and bursts still occur) and finally got all my transactions through.

Mandatory Information

  1. jcli --full-version output;
    jcli 0.6.5 (makepkg-236698a0, release, linux [arm]) - [rustc 1.38.0]
  2. jormungandr --full-version output;
    jormungandr 0.6.5 (makepkg-236698a0, release, linux [arm]) - [rustc 1.38.0]

To Reproduce
Enable/Disable DoS protection (https://www.asus.com/support/FAQ/1031610).

Expected behavior
Not sure if bug or feature request. I would expect to maintain DoS protection.

Most helpful comment

We probably will never be able to work around all peculiarities of home/small office broadband gateways and the like. And indeed a p2p network, from the standpoint of a broadband network administrator, looks like either a DoS attack in progress, or a customer trying to run a server on a subscription that is not meant for this (there are clauses in some home broadband subscription ToS forbidding running servers and p2p endpoints).

One mitigation for node operators in restrictive or protective LAN setups is to run a private node that does not advertise its public address and therefore is never connected to by other nodes (the peers it connects to would still send it updates via subscription streams). We need to do some work to address this common use case better.

All 2 comments

We probably will never be able to work around all peculiarities of home/small office broadband gateways and the like. And indeed a p2p network, from the standpoint of a broadband network administrator, looks like either a DoS attack in progress, or a customer trying to run a server on a subscription that is not meant for this (there are clauses in some home broadband subscription ToS forbidding running servers and p2p endpoints).

One mitigation for node operators in restrictive or protective LAN setups is to run a private node that does not advertise its public address and therefore is never connected to by other nodes (the peers it connects to would still send it updates via subscription streams). We need to do some work to address this common use case better.

This has been fixed for me for v0.7.0.rc7.r4.2051c93d.
I guess the drastic lowering of network usage did the trick. Amazing work!

Was this page helpful?
0 / 5 - 0 ratings