Skip to content

Update QUIC flood control for shared validator IPs#2306

Open
EmelyanenkoK wants to merge 4 commits into
ton-blockchain:testnetfrom
EmelyanenkoK:fine-flood-control
Open

Update QUIC flood control for shared validator IPs#2306
EmelyanenkoK wants to merge 4 commits into
ton-blockchain:testnetfrom
EmelyanenkoK:fine-flood-control

Conversation

@EmelyanenkoK

Copy link
Copy Markdown
Member

This change fixes the case where multiple validators behind the same IP interfere with each other due to QUIC flood control.

It makes two changes:

  1. RFC1918 private IPv4 ranges are no longer subject to per-IP QUIC flood control:
  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  1. Validator endpoints can use separate flood buckets by exact ip:port, so multiple validators on the same public IP no longer
    consume the same per-IP flood quota.

The global new-connection limiter is unchanged.

What changed

  • QuicServer flood control is now bucket-based:
  • RFC1918 source -> bypass per-IP flood bucket
  • protected validator endpoint -> bucket by exact ip:port
  • all other traffic -> bucket by ip
  • The selected flood bucket is stored on accepted inbound connections and reused on close, so accounting stays correct even if
    protection state changes later.
  • Added protected-endpoint registration in QUIC.
  • QuicSender now tracks protected validator peers per local ADNL ID, resolves their exact endpoints, and updates the QUIC server
    with those endpoints.
  • ValidatorGroup now registers current validator-set peers as protected on session start and unregisters them on destroy.
  • Added CLI/config knobs in validator-engine:
  • --quic-exempt-private-rfc1918-from-per-ip-flood
  • --quic-protect-validator-endpoints-from-shared-ip-flood

Both are enabled by default.

Notes

  • This change does not increase the numeric flood limits.
  • It changes how inbound QUIC connections are bucketed for flood-control purposes.
  • The scope of protected peers in this patch is the current validator set.

@github-actions

Copy link
Copy Markdown
  1. Medium: protected peer endpoint resolution has no retry path, so a transient get_peer_node/address miss leaves that peer permanently unprotected unless an outbound reconnect happens later.
    quic/quic-sender.cpp:485 returns immediately on error, and there is no periodic/backoff re-resolution for entries still present in protected_peers_. This can silently defeat the new shared-IP protection for inbound-only peers.

  2. Medium: RFC1918 exemption bypasses both concurrent flood buckets and per-bucket new-connection rate limiting, not just per-IP bucket sharing.
    quic/quic-server.cpp:232 returns nullopt for private IPv4, and quic/quic-server.cpp:247 then skips conn_rate_limiters_.take_new_connection(...). On private but untrusted networks, this creates a much weaker limiter than before (only global limiter remains). Consider keeping a per-endpoint limiter for exempt ranges if that is not intentional.

@EmelyanenkoK EmelyanenkoK marked this pull request as draft April 18, 2026 17:12
@EmelyanenkoK EmelyanenkoK marked this pull request as ready for review April 19, 2026 11:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant