p2p: rate-limit incoming connections by IP

[tychoish]

implements simple incoming peer connection rate limiting both by time
window to prevent connection storms, and by count to prevent multiple
connections from the same peer.

This happens at the router level which means the transport layer could
still present a vector for some kind of disruption.

[codecov]

Codecov Report

Merging #6286 (d237bcb) into master (91506bf) will decrease coverage by 0.05%.
The diff coverage is 76.47%.

@@            Coverage Diff             @@
##           master    #6286      +/-   ##
==========================================
- Coverage   60.90%   60.84%   -0.06%     
==========================================
  Files         281      282       +1     
  Lines       26660    26707      +47     
==========================================
+ Hits        16237    16251      +14     
- Misses       8738     8771      +33     
  Partials     1685     1685              

Impacted Files	Coverage Δ
p2p/router.go	78.03% <58.33%> (-1.50%)	⬇️
p2p/conn_tracker.go	92.59% <92.59%> (ø)
libs/events/events.go	92.94% <0.00%> (-5.89%)	⬇️
blockchain/v0/pool.go	74.52% <0.00%> (-5.33%)	⬇️
privval/signer_server.go	89.47% <0.00%> (-5.27%)	⬇️
privval/signer_endpoint.go	78.78% <0.00%> (-3.04%)	⬇️
p2p/pex/pex_reactor.go	76.55% <0.00%> (-2.08%)	⬇️
evidence/reactor.go	72.80% <0.00%> (-1.76%)	⬇️
blockchain/v0/reactor.go	63.20% <0.00%> (-1.60%)	⬇️
p2p/transport_memory.go	85.13% <0.00%> (-1.36%)	⬇️
... and 12 more

[alexanderbez]

Great work @tychoish 👍

[alexanderbez]

Is 100ms kind of arbitrary or do you have some gut judgement here? (totally cool with either answer :-p)

[tychoish]

some of both? Mostly arbitrary, but also I can't imagine connection attempts more frequent than 100ms being a viable use case?

[alexanderbez]

It seems like this implementation should do the trick. Any reason you opted for a in-house implementation instead of a ready-to-use rate limier, e.g. https://github.com/sethvargo/go-limiter?

The above already garbage collects and maps directly to our API & needs. We can certainly keep this implementation, but I was just curious. Generally in favor of having to maintain less code :)

[tychoish]

This makes sense. I think it's pretty simple, and I don't see places where we're using go-limiter otherwise (and it looks like we'd need some kind of wrapper code/etc. anyway, so I'm not sure if it's a huge burden.) I put the rate-limiting behind an interface so we could change it later if we needed.