improve handling of IHAVE floods

gossipsub.go

@@ -94,6 +94,7 @@ func NewGossipSub(ctx context.Context, h host.Host, opts ...Option) (*PubSub, er
 		gossip:   make(map[peer.ID][]*pb.ControlIHave),
 		control:  make(map[peer.ID]*pb.ControlMessage),
 		backoff:  make(map[string]map[peer.ID]time.Time),
+		peerhave: make(map[peer.ID]int),
 		iasked:   make(map[peer.ID]int),
 		connect:  make(chan connectInfo, GossipSubMaxPendingConnections),
 		mcache:   NewMessageCache(GossipSubHistoryGossip, GossipSubHistoryLength),
@@ -211,7 +212,8 @@ type GossipSubRouter struct {
 	lastpub  map[string]int64                 // last publish time for fanout topics
 	gossip   map[peer.ID][]*pb.ControlIHave   // pending gossip
 	control  map[peer.ID]*pb.ControlMessage   // pending control messages
-	iasked  map[peer.ID]int                  // messages we have asked for in the last heartbeat
+	peerhave map[peer.ID]int                  // number of IHAVEs received from peer in the last heartbeat
+	iasked   map[peer.ID]int                  // number of messages we have asked from peer in the last heartbeat
 	backoff  map[string]map[peer.ID]time.Time // prune backoff
 	connect  chan connectInfo                 // px connection requests
 	mcache   *MessageCache
@@ -374,6 +376,12 @@ func (gs *GossipSubRouter) handleIHave(p peer.ID, ctl *pb.ControlMessage) []*pb.
 	}
 
 	// IHAVE flood protection
+	if gs.peerhave[p] > 2 {
+		log.Debugf("IHAVE: peer %s has advertised too many times within this heartbeat interval; ignoring", p)
+		return nil
+	}
+	gs.peerhave[p]++
+
 	if gs.iasked[p] >= GossipSubMaxIHaveLength {
 		log.Debugf("IHAVE: peer %s has already advertised too many messages; ignoring", p)
 		return nil
@@ -892,7 +900,7 @@ func (gs *GossipSubRouter) heartbeat() {
 	gs.clearBackoff()
 
 	// clean up iasked counters
-	gs.clearIasked()
+	gs.clearIHaveCounters()
 
 	// ensure direct peers are connected
 	gs.directConnect()
@@ -1066,7 +1074,12 @@ func (gs *GossipSubRouter) heartbeat() {
 	gs.mcache.Shift()
 }
 
-func (gs *GossipSubRouter) clearIasked() {
+func (gs *GossipSubRouter) clearIHaveCounters() {
+	if len(gs.peerhave) > 0 {
+		// throw away the old map and make a new one
+		gs.peerhave = make(map[peer.ID]int)
+	}
+
 	if len(gs.iasked) > 0 {
 		// throw away the old map and make a new one
 		gs.iasked = make(map[peer.ID]int)

gossipsub_spam_test.go

@@ -215,13 +215,11 @@ func TestGossipsubAttackSpamIHAVE(t *testing.T) {
 
 					// Should have sent more IWANTs after the heartbeat
 					iwc = getIWantCount()
-					if iwc <= GossipSubMaxIHaveLength {
+					if iwc == firstBatchCount {
 						t.Fatal("Expecting to receive more IWANTs after heartbeat but did not")
 					}
 					// Should not be more than the maximum per heartbeat
-					// note that we multiply by 2 because things may come in the middle of the heartbeat which
+					if iwc-firstBatchCount > GossipSubMaxIHaveLength {
-					// results in a reset of the heartbeat counter (has been observed in travis)
-					if iwc-firstBatchCount > 2*GossipSubMaxIHaveLength {
 						t.Fatalf("Expecting max %d IWANTs per heartbeat but received %d", GossipSubMaxIHaveLength, iwc-firstBatchCount)
 					}
 				}()