📅 Original date posted:2013-08-16
📝 Original message:On Fri, Aug 16, 2013 at 6:41 AM, Warren Togami Jr. <wtogami at gmail.com> wrote:
> If you disallow the same IP and/or subnet from establishing too many TCP
> connections with your node,
[...]
> has almost zero drawbacks,
There are whole countries who access the internet from single IP
addresses. There are major institution with hundreds or even thousands
of hosts that could be running Bitcoin who are visible to the public
internet as a single IP address (/single subnet). Most tor traffic
exits to the internet from a dozen of the largest exits, common
local-network configurations have people addnode-ing local hosts from
many systems on a subnet, etc.
Prioritizing the availability of inbound slots based on source IP is
reasonable and prudent, but it does not have almost zero drawbacks.
Outright limiting is even worse.
As a protective measure its also neigh useless for IPv6 connected
hosts and hidden service hosts. It's also ineffective at attacks
which exhaust your memory, cpu, IO, or bandwidth without trying to
exhaust your sockets.
So I am not opposed to prioritizing based on it (e.g. when full pick
an inbound connection to drop based on criteria which includes network
mask commonality), but I would not want to block completely based on
this.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 15:06:02
in reply to nevent1q…xcq6
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 15:06:02Event JSON
{
"id": "aa24c959c4f8ad6b9f4a978f00c3888881a30c0960fe83de9eaba2f2d7b28316",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686150362,
"kind": 1,
"tags": [
[
"e",
"5a9ab6946b435e1e53322190b144cf294684f6977db12281caf5c76891efbbe7",
"",
"root"
],
[
"e",
"7e3b4ca1e58a0aea676ee9fc501c326bab0adb7e26eee2bfb2348e26340023ed",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "📅 Original date posted:2013-08-16\n📝 Original message:On Fri, Aug 16, 2013 at 6:41 AM, Warren Togami Jr. \u003cwtogami at gmail.com\u003e wrote:\n\u003e If you disallow the same IP and/or subnet from establishing too many TCP\n\u003e connections with your node,\n[...]\n\u003e has almost zero drawbacks,\n\nThere are whole countries who access the internet from single IP\naddresses. There are major institution with hundreds or even thousands\nof hosts that could be running Bitcoin who are visible to the public\ninternet as a single IP address (/single subnet). Most tor traffic\nexits to the internet from a dozen of the largest exits, common\nlocal-network configurations have people addnode-ing local hosts from\nmany systems on a subnet, etc.\n\nPrioritizing the availability of inbound slots based on source IP is\nreasonable and prudent, but it does not have almost zero drawbacks.\nOutright limiting is even worse.\n\nAs a protective measure its also neigh useless for IPv6 connected\nhosts and hidden service hosts. It's also ineffective at attacks\nwhich exhaust your memory, cpu, IO, or bandwidth without trying to\nexhaust your sockets.\n\nSo I am not opposed to prioritizing based on it (e.g. when full pick\nan inbound connection to drop based on criteria which includes network\nmask commonality), but I would not want to block completely based on\nthis.",
"sig": "c289a324adea18acf04ad5dc18e0bb1e524baec1397f46fd414181b531197d0ff974899bcc4489951aebbf4969ed4d5fe5eabf3fdc80f2c47317e1224354a6c3"
}