Add dos and monitoring docs

[MarcoPolo]

Addresses libp2p/go-libp2p#1711.

Adds some documentation and links for libp2p monitoring and dos mitigation.

[mxinden]

Thank you @MarcoPolo for writing this up!

[mxinden]

Optional: I think a similar section on the number of connections would be helpful.

[BigLep]

Agreed.

[BigLep]

Thanks for doing this @MarcoPolo . It's great starting to get to see how this will be exposed to users.

I'm copying in some of the comments I had in https://www.notion.so/pl-strflt/Guide-for-how-to-respond-to-resource-exhaustion-attacks-b10f55cc9a3d4917ae80c9b914e05e8c

The information above is really helpful/good. Looking at this fresh, I think we need to paint a big picture. I view these a layering that someone should think about. I’m apt to order chronologically based on the lifecycle of a libp2p application from design, development, testing, and operating.

1. What are the steps I can take to protect my application? Basically what are all the defenses I can have in place before my application is deployed?
   1. (Should be thought about early) Architect application well with limiting blast radius as described above
   2. Give clear signal of problems as highlighted above by using canonicallog
   3. Setup/tune resource management for each libp2p node. Here we can link to resource manager docs. We have to make sure this is user-friendly. There are followups in More documentation around limits go-libp2p-resource-manager#68 to handle.
2. How do I know the health of my node? This is the monitoring doc.
3. What are the steps I can take when being attacked? If the steps above were taken, an attack shouldn’t fully compromise my node but it may degrade performance. Followup actions may be needed.
   1. Ban offending IPs. It’s best to automate this as shown above using fail2ban.
   2. Maybe something about using the denylist?

[BigLep]

Do we give guidance on when to use this mechanism vs. the resource manager? I see this is a good hook for custom logic, but it seems like what Prysm is doing could be covered by go-libp2p resource manager right?

[MarcoPolo]

Do we give guidance on when to use this mechanism vs. the resource manager?

No, but I could add something here.

I see this is a good hook for custom logic, but it seems like what Prysm is doing could be covered by go-libp2p resource manager right?

Not really. If you're trying to avoid an adversary that can connect to you and give you a ton of work to do all at once the rcmgr doesn't protect at all. This attack can easily be mitigated by rate limiting though.

Not all applications will want this rate limiting, or they may want to rate limit certain things (e.g. something in the protocol rather than in the connections). For example, if I'm Google I wouldn't want to rate limit any new connection to me. I would rather rate limit work per connection.

Should the rcmgr do this? I don't think so. It's not directly related to limiting the resources being used, and if it can be handled by a smaller component that already exists the better.

I hope that makes sense, but happy to expand more as well.

[BigLep]

Thanks @MarcoPolo for all the work here. I'm game to take one last look once comments are incorporated.

[BigLep]

You know more than me here. Would it be useful to use Identify as an example?

[BigLep]

From reading through this doc I don't think it's clear for a user on when to use the connmgr or the resource manager for go-libp2p.

[BigLep]

For Rust, I think we should draw more from https://www.notion.so/pl-strflt/rust-libp2p-2a62a76b60c54bd69aea2aa3760d6efe . At the minimum we should get a link to https://docs.rs/libp2p/latest/libp2p/swarm/struct.ConnectionLimits.html .

[BigLep]

Given connections happen before streams in an application's lifecycle, maybe move this above the section above?

[BigLep]

Can we give pointers on how to do this?

For go-libp2p this means using resource manager right?

For rust, this isn't at the connection level, but somewhere I think we should be linking to https://docs.rs/libp2p/latest/libp2p/swarm/struct.SwarmBuilder.html#method.max_negotiating_inbound_streams . Maybe we say, "rust-libp2p relies on each protocol to limit the number of streams per connection in XXX. A global upperbound on negotiating/transient inbound streams can be set using https://docs.rs/libp2p/latest/libp2p/swarm/struct.SwarmBuilder.html#method.max_negotiating_inbound_streams."

[MarcoPolo]

I should be more clear.

Here I'm talking about limiting the number of concurrent streams you need by design of the protocol, as opposed to using an existing protocol and trying to limit the streams at the end. For example imagine a RPC style protocol whose procedures are async and often take a long time to return (say > 1min). Here are two ways you could implement it:

1. Open a stream for each RPC call, and keep that stream open until the rpc call returns.
2. Open a stream for the start of the call then close it. The remote side will open a new stream with the answer.

Assume you make a lot of concurrent calls, method 1 would result in a large number of concurrent and mostly inactive streams. Method 2 would result in a fewer number of concurrent streams, and thus lower memory footprint.

If you add a limit here of say 10 streams, then method 1 will mean you can only have 10 concurrent RPC calls, while method 2 would let you have a much larger number of concurrent RPC calls.

Does that make sense? I should rephrase this to focus on the fact this is about protocol design (the inception stage of a p2p application) not about the deployed stage.

[BigLep]

Got it - makes sense.

Side: lets find/create a place to point to https://docs.rs/libp2p/latest/libp2p/swarm/struct.SwarmBuilder.html#method.max_negotiating_inbound_streams . Maybe there's a section about transient/negotiating connections and resources and that those should guarded against too. Go and Rust both have some protections here.

[MarcoPolo]

@BigLep Thanks for the review! I appreciate the help in getting us some good docs.

I believe I addressed all the comments. Another review would be very much appreciated.

[BigLep]

HI @MarcoPolo - good stuff. A few last comments but feel free to ship once incorporated. Good times!

[BigLep]

This is a rust-libp2p link.

[BigLep]

Suggested change

	Assume we make a lot of concurrent calls, method 1 would result in a large
	Assume we make a lot of concurrent calls. Method 1 would result in a large

[BigLep]

Suggested change

	implements their (Connection
	Gater)[https://github.com/prysmaticlabs/prysm/blob/63a8690140c00ba6e3e4054cac3f38a5107b7fb2/beacon-chain/p2p/connection_gater.go#L43].
	implements their (ConnectionGater)[https://github.com/prysmaticlabs/prysm/blob/63a8690140c00ba6e3e4054cac3f38a5107b7fb2/beacon-chain/p2p/connection_gater.go#L43].

Fixing the rendering issue here: https://bafybeid4zqncc4v5epc4urfvl5ajgnmqeksksk4xrgabdwaxxswpsigh6y.on.fleek.co/reference/dos-mitigation/#leverage-the-resource-manager-to-limit-resource-usage-go-libp2p-only

[MarcoPolo]

It's a misuse of (foo)[bar] vs [foo](bar)

[BigLep]

A few nitpics here:

1. We use connmgr and ConnManager
2. When we're hyperlinking, I think it's good to remove the ticks so it's clear that it's a hyperlink. (see screenshot of rendering)
3. We do "ConnManager" no space and "Resource Manager" with space.
4. Maybe the first time we talk about Resource Manager here we make it a hyperlink?

[MarcoPolo]

We do "ConnManager" no space and "Resource Manager" with space.

In go-libp2p-core they're called ConnManager and ResourceManager. Using Conn Manager feels weird and so does ResourceManager although happy to make one change or the other if you feel strongly.

When we're hyperlinking, I think it's good to remove the ticks so it's clear that it's a hyperlink. (see screenshot of rendering)

I think our template should support the fixed width + hyperlink. I'll see if I can fix it.

[MarcoPolo]

I think our template should support the fixed width + hyperlink. I'll see if I can fix it.

Fixed this by adding a text-decoration: underline css property.

[BigLep]

Looks great - lets ship!