search

Finschia / ostracon

Ostracon, a consensus algorithm, is forked from Tendermint Core. We have added VRF to Tendermint BFT. It adds randomness to PoS Validator elections and improves security.
Apache License 2.0
70 stars 28 forks source link

jsonrpc 2.0 batch request limits required #649

Closed zemyblue closed 1 year ago

zemyblue commented 1 year ago

Summary

jsonrpc 2.0 batch request limits required

Problem Definition

DDoS attach is possible by requesting multiple queries in one request through jsonrpc 2.0 batch request method. So I think it's nice to control the jsonrpc 2.0 batch request limitation.

Proposal

JSONRPC2.0 only be handled in Ostracon's RPS server using 26657 port. And batch requests are performed in the following codes. https://github.com/Finschia/ostracon/blob/4127ae7c6ac80fac48b2132401ef52431ffc67cd/rpc/jsonrpc/server/http_json_handler.go#L58-L103 So we can control the requests size if we add a limitation feature in Octracon and config.toml for example the max_request_batch_request.

For Admin Use

zemyblue commented 1 year ago

How about setting the default max_request_batch_request as 10?

ulbqb commented 1 year ago

https://github.com/Finschia/ostracon/blob/4cb2f6eb5d38d559b7d6a227cd583ca84eb24f87/config/config.go#L446-L446 I think we should check if using MaxBodyBytes is enough.