mirror
/
go-ethereum
mirror of https://github.com/ethereum/go-ethereum
2
0
Fork 1
Code Issues Releases Wiki Activity

les: reject client if it makes too many invalid requests (#19691)

Browse Source 
* les: reject client connection if it makes too much invalid req

* les: address comments

* les: use uint32

* les: fix variable name

* les: add invalid counter for duplicate invalid req
pull/19704/head
gary rong 6 years ago committed by Péter Szilágyi
parent b3f7609d7d
commit c8c3ebd593
3 changed files with 40 additions and 14 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 40
      les/handler.go
  2. 7
      les/handler_test.go
  3. 7
      les/peer.go

40
les/handler.go
Unescape View File

@ -19,9 +19,11 @@ package les
import ( import (
"encoding/binary" "encoding/binary"
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"math/big" "math/big"
"sync" "sync"
"sync/atomic"
"time" "time"
"github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/common"
@ -44,6 +46,8 @@ import (
"github.com/ethereum/go-ethereum/trie" "github.com/ethereum/go-ethereum/trie"
) )
var errTooManyInvalidRequest = errors.New("too many invalid requests made")
const ( const (
softResponseLimit = 2 * 1024 * 1024 // Target maximum size of returned blocks, headers or node data. softResponseLimit = 2 * 1024 * 1024 // Target maximum size of returned blocks, headers or node data.
estHeaderRlpSize = 500 // Approximate size of an RLP encoded block header estHeaderRlpSize = 500 // Approximate size of an RLP encoded block header
@ -524,6 +528,7 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
origin = pm.blockchain.GetHeaderByNumber(query.Origin.Number) origin = pm.blockchain.GetHeaderByNumber(query.Origin.Number)
} }
if origin == nil { if origin == nil {
atomic.AddUint32(&p.invalidCount, 1)
break break
} }
headers = append(headers, origin) headers = append(headers, origin)
@ -570,7 +575,6 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
} else { } else {
unknown = true unknown = true
} }
case !query.Reverse: case !query.Reverse:
// Number based traversal towards the leaf block // Number based traversal towards the leaf block
query.Origin.Number += query.Skip + 1 query.Origin.Number += query.Skip + 1
@ -628,15 +632,18 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
sendResponse(req.ReqID, 0, nil, task.servingTime) sendResponse(req.ReqID, 0, nil, task.servingTime)
return return
} }
// Retrieve the requested block body, stopping if enough was found
if bytes >= softResponseLimit { if bytes >= softResponseLimit {
break break
} }
// Retrieve the requested block body, stopping if enough was found number := rawdb.ReadHeaderNumber(pm.chainDb, hash)
if number := rawdb.ReadHeaderNumber(pm.chainDb, hash); number != nil { if number == nil {
if data := rawdb.ReadBodyRLP(pm.chainDb, hash, *number); len(data) != 0 { atomic.AddUint32(&p.invalidCount, 1)
bodies = append(bodies, data) continue
bytes += len(data) }
} if data := rawdb.ReadBodyRLP(pm.chainDb, hash, *number); len(data) != 0 {
bodies = append(bodies, data)
bytes += len(data)
} }
} }
sendResponse(req.ReqID, uint64(reqCnt), p.ReplyBlockBodiesRLP(req.ReqID, bodies), task.done()) sendResponse(req.ReqID, uint64(reqCnt), p.ReplyBlockBodiesRLP(req.ReqID, bodies), task.done())
@ -691,6 +698,7 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
number := rawdb.ReadHeaderNumber(pm.chainDb, request.BHash) number := rawdb.ReadHeaderNumber(pm.chainDb, request.BHash)
if number == nil { if number == nil {
p.Log().Warn("Failed to retrieve block num for code", "hash", request.BHash) p.Log().Warn("Failed to retrieve block num for code", "hash", request.BHash)
atomic.AddUint32(&p.invalidCount, 1)
continue continue
} }
header := rawdb.ReadHeader(pm.chainDb, request.BHash, *number) header := rawdb.ReadHeader(pm.chainDb, request.BHash, *number)
@ -703,6 +711,7 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
local := pm.blockchain.CurrentHeader().Number.Uint64() local := pm.blockchain.CurrentHeader().Number.Uint64()
if !pm.server.archiveMode && header.Number.Uint64()+core.TriesInMemory <= local { if !pm.server.archiveMode && header.Number.Uint64()+core.TriesInMemory <= local {
p.Log().Debug("Reject stale code request", "number", header.Number.Uint64(), "head", local) p.Log().Debug("Reject stale code request", "number", header.Number.Uint64(), "head", local)
atomic.AddUint32(&p.invalidCount, 1)
continue continue
} }
triedb := pm.blockchain.StateCache().TrieDB() triedb := pm.blockchain.StateCache().TrieDB()
@ -710,6 +719,7 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
account, err := pm.getAccount(triedb, header.Root, common.BytesToHash(request.AccKey)) account, err := pm.getAccount(triedb, header.Root, common.BytesToHash(request.AccKey))
if err != nil { if err != nil {
p.Log().Warn("Failed to retrieve account for code", "block", header.Number, "hash", header.Hash(), "account", common.BytesToHash(request.AccKey), "err", err) p.Log().Warn("Failed to retrieve account for code", "block", header.Number, "hash", header.Hash(), "account", common.BytesToHash(request.AccKey), "err", err)
atomic.AddUint32(&p.invalidCount, 1)
continue continue
} }
code, err := triedb.Node(common.BytesToHash(account.CodeHash)) code, err := triedb.Node(common.BytesToHash(account.CodeHash))
@ -776,9 +786,12 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
} }
// Retrieve the requested block's receipts, skipping if unknown to us // Retrieve the requested block's receipts, skipping if unknown to us
var results types.Receipts var results types.Receipts
if number := rawdb.ReadHeaderNumber(pm.chainDb, hash); number != nil { number := rawdb.ReadHeaderNumber(pm.chainDb, hash)
results = rawdb.ReadRawReceipts(pm.chainDb, hash, *number) if number == nil {
atomic.AddUint32(&p.invalidCount, 1)
continue
} }
results = rawdb.ReadRawReceipts(pm.chainDb, hash, *number)
if results == nil { if results == nil {
if header := pm.blockchain.GetHeaderByHash(hash); header == nil || header.ReceiptHash != types.EmptyRootHash { if header := pm.blockchain.GetHeaderByHash(hash); header == nil || header.ReceiptHash != types.EmptyRootHash {
continue continue
@ -853,6 +866,7 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
if number = rawdb.ReadHeaderNumber(pm.chainDb, request.BHash); number == nil { if number = rawdb.ReadHeaderNumber(pm.chainDb, request.BHash); number == nil {
p.Log().Warn("Failed to retrieve block num for proof", "hash", request.BHash) p.Log().Warn("Failed to retrieve block num for proof", "hash", request.BHash)
atomic.AddUint32(&p.invalidCount, 1)
continue continue
} }
if header = rawdb.ReadHeader(pm.chainDb, request.BHash, *number); header == nil { if header = rawdb.ReadHeader(pm.chainDb, request.BHash, *number); header == nil {
@ -864,12 +878,14 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
local := pm.blockchain.CurrentHeader().Number.Uint64() local := pm.blockchain.CurrentHeader().Number.Uint64()
if !pm.server.archiveMode && header.Number.Uint64()+core.TriesInMemory <= local { if !pm.server.archiveMode && header.Number.Uint64()+core.TriesInMemory <= local {
p.Log().Debug("Reject stale trie request", "number", header.Number.Uint64(), "head", local) p.Log().Debug("Reject stale trie request", "number", header.Number.Uint64(), "head", local)
atomic.AddUint32(&p.invalidCount, 1)
continue continue
} }
root = header.Root root = header.Root
} }
// If a header lookup failed (non existent), ignore subsequent requests for the same header // If a header lookup failed (non existent), ignore subsequent requests for the same header
if root == (common.Hash{}) { if root == (common.Hash{}) {
atomic.AddUint32(&p.invalidCount, 1)
continue continue
} }
// Open the account or storage trie for the request // Open the account or storage trie for the request
@ -888,6 +904,7 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
account, err := pm.getAccount(statedb.TrieDB(), root, common.BytesToHash(request.AccKey)) account, err := pm.getAccount(statedb.TrieDB(), root, common.BytesToHash(request.AccKey))
if err != nil { if err != nil {
p.Log().Warn("Failed to retrieve account for proof", "block", header.Number, "hash", header.Hash(), "account", common.BytesToHash(request.AccKey), "err", err) p.Log().Warn("Failed to retrieve account for proof", "block", header.Number, "hash", header.Hash(), "account", common.BytesToHash(request.AccKey), "err", err)
atomic.AddUint32(&p.invalidCount, 1)
continue continue
} }
trie, err = statedb.OpenStorageTrie(common.BytesToHash(request.AccKey), account.Root) trie, err = statedb.OpenStorageTrie(common.BytesToHash(request.AccKey), account.Root)
@ -1134,6 +1151,11 @@ func (pm *ProtocolManager) handleMsg(p *peer) error {
} }
} }
} }
// If the client has made too much invalid request(e.g. request a non-exist data),
// reject them to prevent SPAM attack.
if atomic.LoadUint32(&p.invalidCount) > maxRequestErrors {
return errTooManyInvalidRequest
}
return nil return nil
} }

7
les/handler_test.go
Unescape View File

@ -597,9 +597,10 @@ func TestStopResumeLes3(t *testing.T) {
expBuf := testBufLimit expBuf := testBufLimit
var reqID uint64 var reqID uint64
header := pm.blockchain.CurrentHeader()
req := func() { req := func() {
reqID++ reqID++
sendRequest(peer.app, GetBlockHeadersMsg, reqID, testCost, &getBlockHeadersData{Origin: hashOrNumber{Hash: common.Hash{1}}, Amount: 1}) sendRequest(peer.app, GetBlockHeadersMsg, reqID, testCost, &getBlockHeadersData{Origin: hashOrNumber{Hash: header.Hash()}, Amount: 1})
} }
for i := 1; i <= 5; i++ { for i := 1; i <= 5; i++ {
@ -607,8 +608,8 @@ func TestStopResumeLes3(t *testing.T) {
for expBuf >= testCost { for expBuf >= testCost {
req() req()
expBuf -= testCost expBuf -= testCost
if err := expectResponse(peer.app, BlockHeadersMsg, reqID, expBuf, nil); err != nil { if err := expectResponse(peer.app, BlockHeadersMsg, reqID, expBuf, []*types.Header{header}); err != nil {
t.Errorf("expected response and failed: %v", err) t.Fatalf("expected response and failed: %v", err)
} }
} }
// send some more requests in excess and expect a single StopMsg // send some more requests in excess and expect a single StopMsg

7
les/peer.go
Unescape View File

@ -42,7 +42,10 @@ var (
errNotRegistered = errors.New("peer is not registered") errNotRegistered = errors.New("peer is not registered")
) )
const maxResponseErrors = 50 // number of invalid responses tolerated (makes the protocol less brittle but still avoids spam) const (
maxRequestErrors = 20 // number of invalid requests tolerated (makes the protocol less brittle but still avoids spam)
maxResponseErrors = 50 // number of invalid responses tolerated (makes the protocol less brittle but still avoids spam)
)
// capacity limitation for parameter updates // capacity limitation for parameter updates
const ( const (
@ -69,7 +72,6 @@ const (
type peer struct { type peer struct {
*p2p.Peer *p2p.Peer
rw p2p.MsgReadWriter rw p2p.MsgReadWriter
version int // Protocol version negotiated version int // Protocol version negotiated
@ -89,6 +91,7 @@ type peer struct {
// RequestProcessed is called // RequestProcessed is called
responseLock sync.Mutex responseLock sync.Mutex
responseCount uint64 responseCount uint64
invalidCount uint32
poolEntry *poolEntry poolEntry *poolEntry
hasBlock func(common.Hash, uint64, bool) bool hasBlock func(common.Hash, uint64, bool) bool

Write Preview
Loading…
Cancel
Save