Venthos
commented
6 years ago The limit enforced by this change is a "friendly limit" designed to stop legitimate users from unnecessarily taxing the pool with large worker counts. It may be advantageous for pool owners to help avoid malicious attacks by leveraging iptables in a fashion similar to the below:
iptables -A INPUT -p tcp --syn -m multiport --dports 3333,5555,7777,9000 -m connlimit --connlimit-above 75 -j REJECT --reject-with tcp-reset
`
This will refuse connections in excess of 75 simultaneous connections for the above listed ports. My pool has come "under attack" by some isolated DOS attacks (a few IPs opening 30,000+ simultaneous connections to a single mining port). Neither solution does anything to address DDOS attacks to the mining ports, however. You're going to have to sort that at a DC network level.
With CryptoNight based coins being profitable to mine on CPUs, this has encouraged botnets and webmining to become rampant. Some pools (SupportXMR.com, ITNSpool.net, and others) have posted rules that explicitly forbid botnets and malicious webmining, insisting that a proxy like xmr-node-proxy be used to alleviate undue load on the pool.
Rather than require the pool owner to watch and police this, it would be nice to allow a configurable maximum worker count per miner address. This would throw a clear error to the worker that they were denied for excessive worker count and should utilize a proxy instead.