Replace automatic bans with discouragement filter #19219
Conversation
There was a problem hiding this comment.
Concept ACK on improving the performance/resource usage of IsBanned.
Light code review ACK 4c4df6b. I have not benchmarked the performance deltas of IsBanned (presumably improved for discouraged addrs) and IsBannedLevel (presumably marginally worse for non-banned addrs) and how meaningful they are with this change.
src/banman.h
Outdated
| @@ -68,6 +77,7 @@ class BanMan | |||
| CClientUIInterface* m_client_interface = nullptr; | |||
| CBanDB m_ban_db; | |||
| const int64_t m_default_ban_time; | |||
| CRollingBloomFilter m_discouraged{50000, 0.000001}; | |||
There was a problem hiding this comment.
A comment on the choice of nElements and nFPRate may be good here. These are the same as for filterInventoryKnown.
There was a problem hiding this comment.
review ACK 4c4df6b 🚆
Show signature and timestamp
Signature:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
review ACK 4c4df6bf61104a4946479fccc7885dc0fe05dbd8 🚆
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEE+rVPoUahrI9sLGYTzit1aX5ppUgFAlwqrYAACgkQzit1aX5p
pUiFHgv/X2KHSRqmN8x9c5zLH7/3ZqkSkcMGsr1wMBS3GXDqAYv14lYl2xAG4iou
TAkeccq8MLDpARLeTtjVou1NhjFcEMZXciV55nF4y7GD8DianWdAeH0/yTlGfjdk
yuYGZJpQlHipSccFgOY+pf5pTS9Ph1XgHEabfU2mwGsMRHeo5wIGulBGHTH3oGPZ
r8aTkNv2o0hQ7Gm68g5k8+cYCcnPYTy8CdO/3CTJMjzY7fgg9ig/CuOWWAq3Pka1
IcxspupCNtwYKui+rFMXpLar78b1ABTLKGRX2iHBLs09bdOMZgO5jDDCooWx7YAV
ogNVxmb93p7kRiVtZschxRCnGDBnn6TGJKINNxKwfuwu8BPHilHOwWXmiKUF7EKh
MwVsVQGYrGz1+uSst4FYhwEXewC6o72kC/7t58mKy2hipyFhMhjQC/CW8v0M9Xsu
K4CIviPL/AphwRDhTff6nk1uot9VJHaC/JXxaJmnaXiYkckdlu9D2VaKe5n5dm58
gy6VugHp
=eVeU
-----END PGP SIGNATURE-----
Timestamp of file with hash efbc9feace2c4d03c3d87e850e69600a2022027bb9fda48388d15e2d99cfe379 -
|
Code review ACK 4c4df6b |
|
@luke-jr I don't think that's necessary. They (by default) have a 24 hour limit only, and during that time, they will just be treated as a real ban instead of a discouragement. |
|
This seems like an improvement, but it leaves the
It'd be nice to rationalize this so BanMan just had a setter |
|
@jnewbery Most of those things are no longer true, apart from the BanReason being superfluous now (there is a separate IsBannedOrDiscouraged). I think a follow-up can remove BanReason altogether, but I think it's preferable to not have a SetBanLevel - discouragement and banning are very different concepts (and it wouldn't be unreasonable to move discouragement elsewhere entirely). |
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
Concept ACK. |
|
@jnewbery agreed that the interface is a little odd now but think that should be dealt with in a separate pr |
|
You really should add a benchmark for this.. |
|
What happens if someone floods the filter with a big block of 1 million IPv6 addresses? |
|
Rolling Bloom filters only keep the last N elements added; 50000 in this case. Their performance is not affected by how many elements are kept. So worst case, being flooded with IPs would reduce the effectiveness of the filter in keeping broken peers out. |
|
Right, so you can flood the filter with even something like 150k inserts, saturate it to always return false positive, and then all peers are "equally discouraged" (meaning you have no ban policy anymore).... |
|
No, the false positive rate never goes above the specified one (0.000001 in this case). The rolling aspect discards old entries. |
|
@cculianu - I suggest you take a look at the |
|
Indeed, thanks for the explanation. |
|
Ok, so basically:
Got it. Thanks. |
|
@cculianu Indeed. Your numbers are a bit off: it only guarantees 50000 entries (it keeps up to 75000, but the last 25000 are removed whenever that number is exceeded). It also uses around 528 KiB (at an fprate of 1/1000000). |
|
Oh right.. it's 67k uint64's -> 528KiB. My bad. Hmm. For ~800KiB you could have just implemented a regular hash table (std::unordered_map, etc) or a std::unordered_set, clamped it to 50k items, and then had the ability to query it, iterate over it, show it in the UI, and/or remove individual items. |
|
@cculianu Yeah, we do have a limitedmap data structure that implements effectively that. Its memory usage is significantly worse though (because every entry in the map needs several pointers, plus dynamic allocation overhead). If I recall the number correctly it would be 4 MiB at least for 50000 entries. |
Signed-off-by: pasta <pasta@dashboost.org>
Signed-off-by: pasta <pasta@dashboost.org>
Signed-off-by: pasta <pasta@dashboost.org>
Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
backport: bitcoin#15141, bitcoin#19219 (rewrite DoS interface, use discouragement filter)
backport: bitcoin#15141, bitcoin#15437, bitcoin#16240, bitcoin#18923, bitcoin#19219, bitcoin#19277, bitcoin#20016, bitcoin#20671 (auxiliary backports)
This patch improves performance and resource usage around IP addresses that are banned for misbehavior. They're already not actually banned since #14929, as connections from them are still allowed, but they are preferred for eviction if the inbound connection slots are full.
Stop treating these like manually banned IP ranges, and instead just keep them in a rolling Bloom filter of misbehaving nodes, which isn't persisted to disk or exposed through the ban framework. The effect remains the same: preferred for eviction, avoided for outgoing connections, and not relayed to other peers.
Also change the name of this mechanism to "discouraged" to better reflect reality.