acud
commented
2 years ago As a suggestion from @metacertain, we can (and probably should) keep track of the amount of requests queued on the downstream peer to make sure that a malicious node that has no intention of respecting limits cannot get away with it.
We've seen a large allowance of requests on the retrieval protocol which is a large attack surface as an attacker can just request a lot of chunks that don't exist, resulting in a large number of requests issued across the network without any consequence. This needs to be rectified such that the accounting is done immediately after the initial request message is being read by the other side, such that a requester always pays, regardless whether the data is found or not on the network.