Limiting Connections

You can limit the number of connections to your nodes

Background

As you maintain your nodes, you may see multiple nodes trying to connect to you. Normally you should only have 1 or 2 per relay IP that tries to connect to you. Many SPO have shared instances when they see up to 30 connections from a particular IP address. There can be many reasons for these multiple connections ranging from wrong configuration to actual denial of service (DOS) attacks.

Irregardless of the reason, these multiple connections will eventually slow down your nodes and in extreme circumstances, can prevent you from minting blocks.

Remediation

There are many ways to mitigate the effects of these unwanted multiple connections. I'll share with you two of them:

Solution 1: Block the IP address

The most basic solution is to block the IP address that is making multiple connections to your node. For example, if the offending IP address is 1.2.3.4, you can use the following ufw command to deny it:

sudo ufw deny from 1.2.3.4

Restart your cardano node service to refresh your connection list

Solution 2: Limit Connections

Blocking IP addresses is a manual activity so a better solution is to setup rules to limit the number of connections each IP can make to your relays.

To do this, in the /etc/ufw/before.rules file, look for these these lines:

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [:]
:ufw-before-output - [:]
:ufw-before-forward - [:]
:ufw-not-local - [:]
# End of required lines

The following is a sample command you can add after the above lines:

# Limit to 3 concurrent connections on port 6101 per IP
-A ufw-before-input -p tcp --syn --dport 6101 -m connlimit --connlimit-above 3 -j DROP

The above command will limit the number of concurrent connections to 3 for the port 6101 which is the port number of this particular relay. Please change these numbers according to your configuration.