Unexpected quick connection retries to the same host: Outgoing DDoS Detection by Hetzner · ipfs/kubo#10250

(12 评论) (0 反应) (0 负责人)Go (13,906 star) (2,725 fork)batch import

help wantedkind/bugneed/analysisneed/community-input

描述

Checklist

This is a bug report, not a question. Ask questions on discuss.ipfs.io.
I have searched on the issue tracker for my bug.
I am running the latest kubo version or have an issue updating.

Installation method

ipfs-update or dist.ipfs.tech

Version

ipfs version --all
Kubo version: 0.24.0
Repo version: 15
System version: amd64/linux
Golang version: go1.21.3

Config

{
  "API": {
    "HTTPHeaders": {}
  },
  "Addresses": {
    "API": "/ip4/0.0.0.0/tcp/5001",
    "Announce": [],
    "AppendAnnounce": null,
    "Gateway": "/ip4/0.0.0.0/tcp/8080",
    "NoAnnounce": [
      "/ip4/10.0.0.0/ipcidr/8",
      "/ip4/100.64.0.0/ipcidr/10",
      "/ip4/169.254.0.0/ipcidr/16",
      "/ip4/172.16.0.0/ipcidr/12",
      "/ip4/192.0.0.0/ipcidr/24",
      "/ip4/192.0.2.0/ipcidr/24",
      "/ip4/192.168.0.0/ipcidr/16",
      "/ip4/198.18.0.0/ipcidr/15",
      "/ip4/198.51.100.0/ipcidr/24",
      "/ip4/203.0.113.0/ipcidr/24",
      "/ip4/240.0.0.0/ipcidr/4",
      "/ip6/100::/ipcidr/64",
      "/ip6/2001:2::/ipcidr/48",
      "/ip6/2001:db8::/ipcidr/32",
      "/ip6/fc00::/ipcidr/7",
      "/ip6/fe80::/ipcidr/10"
    ],
    "Swarm": [
      "/ip4/0.0.0.0/tcp/4001",
      "/ip6/::/tcp/4001",
      "/ip4/0.0.0.0/udp/4001/quic",
      "/ip4/0.0.0.0/udp/4001/quic-v1",
      "/ip4/0.0.0.0/udp/4001/quic-v1/webtransport",
      "/ip6/::/udp/4001/quic",
      "/ip6/::/udp/4001/quic-v1",
      "/ip6/::/udp/4001/quic-v1/webtransport"
    ]
  },
  "AutoNAT": {},
  "Bootstrap": [
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt",
    "/ip4/104.131.131.82/tcp/4001/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ",
    "/ip4/104.131.131.82/udp/4001/quic/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
  ],
  "DNS": {
    "Resolvers": null
  },
  "Datastore": {
    "BloomFilterSize": 8388608,
    "GCPeriod": "1h",
    "HashOnRead": false,
    "Spec": {
      "mounts": [
        {
          "child": {
            "path": "blocks",
            "shardFunc": "/repo/flatfs/shard/v1/next-to-last/3",
            "sync": false,
            "type": "flatfs"
          },
          "mountpoint": "/blocks",
          "prefix": "flatfs.datastore",
          "type": "measure"
        },
        {
          "child": {
            "compression": "none",
            "path": "datastore",
            "type": "levelds"
          },
          "mountpoint": "/",
          "prefix": "leveldb.datastore",
          "type": "measure"
        }
      ],
      "type": "mount"
    },
    "StorageGCWatermark": 90,
    "StorageMax": "20T"
  },
  "Discovery": {
    "MDNS": {
      "Enabled": false,
      "Interval": 10
    }
  },
  "Experimental": {
    "FilestoreEnabled": false,
    "GraphsyncEnabled": false,
    "Libp2pStreamMounting": false,
    "OptimisticProvide": false,
    "OptimisticProvideJobsPoolSize": 0,
    "P2pHttpProxy": false,
    "StrategicProviding": false,
    "UrlstoreEnabled": false
  },
  "Gateway": {
    "APICommands": [],
    "DeserializedResponses": null,
    "DisableHTMLErrors": null,
    "ExposeRoutingAPI": null,
    "HTTPHeaders": {
      "Access-Control-Allow-Headers": [
        "X-Requested-With",
        "Range",
        "User-Agent"
      ],
      "Access-Control-Allow-Methods": [
        "GET"
      ],
      "Access-Control-Allow-Origin": [
        "*"
      ]
    },
    "NoDNSLink": false,
    "NoFetch": false,
    "PathPrefixes": [],
    "PublicGateways": null,
    "RootRedirect": "",
    "Writable": false
  },
  "Identity": {
    "PeerID": "..."
  },
  "Internal": {
    "Bitswap": {
      "EngineBlockstoreWorkerCount": 16,
      "EngineTaskWorkerCount": 8,
      "MaxOutstandingBytesPerPeer": 1048576,
      "ProviderSearchDelay": null,
      "TaskWorkerCount": 8
    }
  },
  "Ipns": {
    "RecordLifetime": "",
    "RepublishPeriod": "",
    "ResolveCacheSize": 128
  },
  "Migration": {
    "DownloadSources": null,
    "Keep": ""
  },
  "Mounts": {
    "FuseAllowOther": false,
    "IPFS": "/ipfs",
    "IPNS": "/ipns"
  },
  "Peering": {
    "Peers": [
      ...
    ]
  },
  "Pinning": {},
  "Plugins": {
    "Plugins": null
  },
  "Provider": {
    "Strategy": ""
  },
  "Pubsub": {
    "DisableSigning": false,
    "Router": ""
  },
  "Reprovider": {
    "Interval": "0s",
    "Strategy": "roots"
  },
  "Routing": {
    "AcceleratedDHTClient": false,
    "Methods": null,
    "Routers": null,
    "Type": "autoclient"
  },
  "Swarm": {
    "AddrFilters": [
      "/ip4/10.0.0.0/ipcidr/8",
      "/ip4/100.64.0.0/ipcidr/10",
      "/ip4/169.254.0.0/ipcidr/16",
      "/ip4/172.16.0.0/ipcidr/12",
      "/ip4/192.0.0.0/ipcidr/24",
      "/ip4/192.0.2.0/ipcidr/24",
      "/ip4/192.168.0.0/ipcidr/16",
      "/ip4/198.18.0.0/ipcidr/15",
      "/ip4/198.51.100.0/ipcidr/24",
      "/ip4/203.0.113.0/ipcidr/24",
      "/ip4/240.0.0.0/ipcidr/4",
      "/ip6/100::/ipcidr/64",
      "/ip6/2001:2::/ipcidr/48",
      "/ip6/2001:db8::/ipcidr/32",
      "/ip6/fc00::/ipcidr/7",
      "/ip6/fe80::/ipcidr/10"
    ],
    "ConnMgr": {
      "GracePeriod": "20s",
      "HighWater": 128,
      "LowWater": 64,
      "Type": "basic"
    },
    "DisableBandwidthMetrics": false,
    "DisableNatPortMap": true,
    "RelayClient": {},
    "RelayService": {},
    "ResourceMgr": {
      "Enabled": true,
      "MaxMemory": "8 GB"
    },
    "Transports": {
      "Multiplexers": {},
      "Network": {},
      "Security": {}
    }
  }
}

Description

Hetzner detected an outgoing DDOS from running kubo:

Abuse Message [AbuseID:D5244A:2C]: DDoSOutLevel: Outgoing DDoS Detection; SRC: [xx.xx.xx.xx], DST: [86.84.231.48]

We have indications that there was an attack from your server. Please take all necessary measures to avoid this in the future and to solve the issue.

##############################################################################    
#      DDoS-Attack detected from host xx.xx.xx.xx                           #    
##############################################################################    
    
    
TIME                                 SRC              ->  DST              SIZE  PROT  SRC-PORT  DST-PORT    
----------------------------------------------------------------------------------------------------------    
2023-12-09 21:55:48.62946843  +0000  xx.xx.xx.xx     ->  86.84.231.48      131   TCP      4001      4001    
2023-12-09 21:55:48.636624923 +0000  xx.xx.xx.xx     ->  86.84.231.48      125   TCP      4001      4001    
2023-12-09 21:55:48.65691599  +0000  xx.xx.xx.xx     ->  86.84.231.48      125   TCP      4001      4001    
2023-12-09 21:55:48.676951656 +0000  xx.xx.xx.xx     ->  86.84.231.48       82   TCP      4001      4001    
2023-12-09 21:55:48.68339217  +0000  xx.xx.xx.xx     ->  86.84.231.48      125   TCP      4001      4001    
2023-12-09 21:55:48.689840641 +0000  xx.xx.xx.xx     ->  86.84.231.48     1537   TCP      4001      4001    
2023-12-09 21:55:48.697183818 +0000  xx.xx.xx.xx     ->  86.84.231.48       82   TCP      4001      4001    
2023-12-09 21:55:48.704837033 +0000  xx.xx.xx.xx     ->  86.84.231.48      131   TCP      4001      4001    
2023-12-09 21:55:48.720577474 +0000  xx.xx.xx.xx     ->  86.84.231.48      125   TCP      4001      4001    
2023-12-09 21:55:48.737214402 +0000  xx.xx.xx.xx     ->  86.84.231.48      307   TCP      4001      4001    
2023-12-09 21:55:48.777546548 +0000  xx.xx.xx.xx     ->  86.84.231.48       52   TCP      4001      4001    
2023-12-09 21:55:51.482935619 +0000  xx.xx.xx.xx     ->  86.84.231.48       40   TCP      4001      4001    
2023-12-09 21:55:51.690973777 +0000  xx.xx.xx.xx     ->  86.84.231.48       40   TCP      4001      4001    
2023-12-09 21:55:51.894931229 +0000  xx.xx.xx.xx     ->  86.84.231.48       40   TCP      4001      4001    
2023-12-09 21:55:52.313679904 +0000  xx.xx.xx.xx     ->  86.84.231.48       40   TCP      4001      4001    
2023-12-09 21:55:53.165124965 +0000  xx.xx.xx.xx     ->  86.84.231.48       40   TCP      4001      4001    
2023-12-09 21:55:54.969556665 +0000  xx.xx.xx.xx     ->  86.84.231.48       40   TCP      4001      4001

Note: I redacted my node source IP

I was told in IPFS Discord that was unexepected because Kubo is supposed to use some backoff retry strategy.

贡献者指南

技术栈: go
领域: backendperformance
议题类型: bug
难度: 3
预计时间: 1-2 days
活动状态: active
清晰度: clear
前置要求: Go programmingbasic understanding of libp2pfamiliarity with IPFS node configuration
新手友好度: 40
研究方向: Investigate the connection manager's retry/backoff logic in the libp2p library used by Kubo. Look at the 'swarm' package for connection handling, specifically the ConnMgr. Check why rapid reconnections are occurring despite expected backoff. Examine the configuration parameters like GracePeriod, HighWater, LowWater to see if they affect retry behavior. Also review related issues or PRs in the ipfs/kubo repository for prior discussions.