|
|
|
|
|
|
by jameshilliard
1139 days ago
|
|
|
> it's an issue. it shouldn't be possible to pull a range of 2000 block headers in an unthrottled way from a remote bitcoin node. Bulk header requesting is used as part of the initial block download, that's literally how it's designed to work: https://developer.bitcoin.org/devguide/p2p_network.html#head... > while you make some valid points - i find it humorous that you have tasked yourself with defining what constitutes a security vulnerability. Pretty much every internet connected service can be attacked with various forms of volumetric denial of service attacks, there are many mitigation measures available, you've implemented the bitcoin p2p protocol attack equivalent of curl in a while loop, that's not really something one would typically consider to be a real vulnerability. > furthermore - you may want to examine https://bitnodes.io/nodes/ and come to a realistic figure of how many machines running bitcoind aren't accepting tcp/8333 from 0.0.0.0 First of all it's trivial to create fake nodes that show up on sites like that so I wouldn't really trust the numbers there, also it's easy for bitcoin users to add more real nodes if/when needed due to an attack, similar to how one can add more cloud application servers when there is a load increase or ddos attack on a web service the bitcoin network can add nodes if/when there is a need to mitigate these types of attacks. |
|
|