Constant zebrad::components::mempool::downloads::MAX_INBOUND_CONCURRENCY
source · pub const MAX_INBOUND_CONCURRENCY: usize = 25;
Expand description
The maximum number of concurrent inbound download and verify tasks.
We expect the mempool crawler to download and verify most mempool transactions, so this bound
can be small. But it should be at least the default network.peerset_initial_target_size
config,
to avoid disconnecting peers on startup.
§Security
We use a small concurrency limit, to prevent memory denial-of-service attacks.
The maximum transaction size is 2 million bytes. A deserialized malicious transaction with ~225_000 transparent outputs can take up 9MB of RAM. (See #1880 for more details.)
Malicious transactions will eventually timeout or fail validation. Once validation fails, the transaction is dropped, and its memory is deallocated.
Since Zebra keeps an inv
index, inbound downloads for malicious transactions
will be directed to the malicious node that originally gossiped the hash.
Therefore, this attack can be carried out by a single malicious node.