-
Notifications
You must be signed in to change notification settings - Fork 1.6k
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
—peers-in/out is not limiting connections #6008
Comments
This comment was marked as outdated.
This comment was marked as outdated.
We have seen as many as 50+ active connections from a single IP address. (see "code snippet" below") Some guidance from the devs as to how may requests per second per IP address is acceptable. As well as how many simultaneous connections per IP is acceptable. Knowing this we can at least set up some filters.
|
Not sure if this is related but we are seeing this in the service logs as well... |
Is there any update on this please? As reported by another validator operator, this seem like a DDOS attack?
|
cc @niklasad1 (not sure whom to ping here) |
Shame on me, what is |
|
I can't find this in our logs |
A user provided this image... The desired peer count graph seems to indicate that the node is seeking to have over 1000 peers at all times. Is always "desiring" 1k+ peers a feature or bug? Further, the "polkadot_parachain_desired_peer_count" metric is only reported when the validator is in the active set. So we don't have any info on what its intensions are when inactive. |
If that is Kusama and a validator, then yes. Each validator is connected to each other validator plus validators of the previous session. |
Thank you, yes, this is a KSM validator. The validator does not appear automatically release these extra peers after they leave the active set. A node restart is required to force the peers back to "inactive" levels. Perhaps this is the issue, that brought up this topic? The fact that the full 1k+ peers linger when inactive? |
Could be that we don't clean this up. |
I think the point is that these connections poss. come from gossip and are not controlled/limited by —peers-in. |
We use so called "reserved sets" for parachain-core networking. If your validator is a parachain validator ( After that, validators in the active set should remove you from their "reserved set" and disconnect from you. Maybe we should change that and empty our reserved set. |
On my Kusama validator we often have 2500+ (3000-4000 while in active set) network connections.
These are visible with “sudo netstat -tuWan”. Add “| wc -l” to count the lines. Less than 20 connections are internal (Prometheus etc).
I added the —peers-in=25 and —peers-out=25 but this has no affect on the actual number of connections.
2 questions:
The text was updated successfully, but these errors were encountered: