Failure limit on tx proposals #3296

NotGyro · 2023-03-28T22:49:26Z

Detects when a client has submitted excessive invalid tx proposals within a configurable rolling window
Adds tx_failure_window and tx_failure_limit fields to the consensus service config Rust structure (for use with clap).
Adds tx_failure_window_seconds and tx_failure_limit, as well as previously-missed client_tracking_capacity to the ConsensusNodeConfig protobuf, and amends get_node_config to add those values to that configuration export.

Motivation

This will be used to track how many failed tx proposals have been sent recently, so that bad connections can be dropped, to prevent attacks and harmful behavior from buggy clients. See: #2977

Future Work

Test case to ensure client_close() actually prevents additional wasted work (i.e. breaks auth for the client such that they need to re-authenticate before any other work can be passed to the enclave).
Slam-testing to determine reasonable defaults for tx_failure_window and tx_failure_limit

…mes' suggestion

NotGyro · 2023-03-28T22:49:40Z

Failure limit on tx proposals #3296 👈
Track failed tx proposals in consensus #3208
master

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @NotGyro and the rest of your teammates on Graphite

…mes' suggestion

Co-authored-by: Sam Dealy <33067698+samdealy@users.noreply.github.com>

…s for Instant and Duration

Bumps [syn](https://github.com/dtolnay/syn) from 1.0.109 to 2.0.11. - [Release notes](https://github.com/dtolnay/syn/releases) - [Commits](dtolnay/syn@1.0.109...2.0.11) --- updated-dependencies: - dependency-name: syn dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…nto milliec/03-28-Failure_limit_on_tx_proposals

* chore(deps): bump bitflags from 1.3.2 to 2.0.1 Bumps [bitflags](https://github.com/bitflags/bitflags) from 1.3.2 to 2.0.1. - [Release notes](https://github.com/bitflags/bitflags/releases) - [Changelog](https://github.com/bitflags/bitflags/blob/main/CHANGELOG.md) - [Commits](bitflags/bitflags@1.3.2...2.0.1) --- updated-dependencies: - dependency-name: bitflags dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Update bitflag usage for the 1.0->2.0 changes Per <https://github.com/bitflags/bitflags/releases/tag/2.0.0> this changes the serialized format of items containing bitflags. * Update enclave lock files * Rust fmt --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Nick Santana <nick@mobilecoin.com>

* refactor mobilecoind api to not depend on consensus-api I am having a lot of build problems in another project due to mc-mobilecoind-api pulling in mbedtls, which exports some symbols that conflicts with another C library that some rust code depends on. I determined that the only reason I have mbedtls in my build is that `mobilecoind-api` depends on `consensus-api` and this pulls in `mc-attest-core` etc. This change allows me to break this dependency. * remove stuff from build.rs that isn't needed anymore * cargo lock * fixup * fixup * restore deprecated field (avoid compatibility break) * add changelog entry * fixup

…s for Instant and Duration

nick-mobilecoin

❌ this looks like it might have a merge issue, it seems to be diffing against other changes that are present in the mainline branch master.

NotGyro · 2023-04-11T19:38:50Z

x this looks like it might have a merge issue, it seems to be diffing against other changes that are present in the mainline branch master.

Yes, I'm not sure how best to resolve that.

The only files modified are consensus_config.proto, consensus/service/config/src/lib.rs, consensus/service/src/api/client_api_service.rs, and that is correct.

However, I do see all of those unrelated commits. I may have messed up rebasing to keep up-to-date with the main branch.

nick-mobilecoin · 2023-04-11T19:46:15Z

consensus/api/proto/consensus_config.proto

@@ -69,4 +69,24 @@ message ConsensusNodeConfig {

    // SCP message signing key.
    external.Ed25519Public scp_message_signing_key = 8;
+
+    // Maximum number of client session tracking structures to retain in
+    // a least-recently-used cache.


🙃 Don't think "least recently used" is a hyphenated word

Suggest looking at my comment on "denial-of-service" before deciding

Suggested change

// a least-recently-used cache.

// a least recently used cache.

nick-mobilecoin · 2023-04-11T19:47:06Z

consensus/api/proto/consensus_config.proto

+    // a least-recently-used cache.
+    //
+    // This corresponds to Config::client_tracking_capacity
+    uint64 client_tracking_capacity = 9;


❓ I don't think it matters as they're all dynamically sized, but why uint64 here? Considering tx_failure_limit is uint32

nick-mobilecoin · 2023-04-11T19:47:42Z

consensus/api/proto/consensus_config.proto

+    // failures, per-client. This is used to implement DOS-protection,
+    // protecting against clients who make too many failed
+    // transaction proposals within this span.
+    uint64 tx_failure_window_seconds = 10;


👍 Like the call out of the units in the name since there is no type safety.

nick-mobilecoin · 2023-04-11T19:58:58Z

consensus/api/proto/consensus_config.proto

+    uint64 tx_failure_window_seconds = 10;
+
+    // How many tx proposal failures within the rolling window are required
+    // before it's treated as concerning, thereby tripping denial-of-service


💭 interestingly "denial-of-service" is often hyphenated on the interwebs. It looks like the rules are pretty loose when to hyphenate, some say since "denial-of-service" is a compound adjective it can be hyphenated.

nick-mobilecoin · 2023-04-11T20:41:52Z