transport: rate limit new connections (#3283)

This rate limits new connections to prevent DoS attacks. 

For effectively rate limiting QUIC connections, we now gate QUIC connection attempts before the handshake, so that we don't spend compute on handshakes for connections that will eventually be cancelled. 

We can only set a single ConnContext per quic-go Transport, as there's only 1 listener per quic-go Transport. So we cannot set a different ConnContext for listeners on the same address. 

As we're now gating QUIC connections before the handshake, we use source address verification to ensure that spoofed IPs cannot DoS new connections from a particular IP. This is done by ensuring that some of the connection attempts always verify the source address. We get DoS protection at the expense of increased latency of source address verification.

Author: sukunrt

.golangci.yml

@@ -10,6 +10,7 @@ linters:
     - prealloc
   disable:
     - errcheck
+    - staticcheck
 
   settings:
     revive:

config/config.go

@@ -380,8 +380,28 @@ func (cfg *Config) addTransports() ([]fx.Option, error) {
 		fxopts = append(fxopts, cfg.QUICReuse...)
 	} else {
 		fxopts = append(fxopts,
-			fx.Provide(func(key quic.StatelessResetKey, tokenGenerator quic.TokenGeneratorKey, lifecycle fx.Lifecycle) (*quicreuse.ConnManager, error) {
-				var opts []quicreuse.Option
+			fx.Provide(func(key quic.StatelessResetKey, tokenGenerator quic.TokenGeneratorKey, rcmgr network.ResourceManager, lifecycle fx.Lifecycle) (*quicreuse.ConnManager, error) {
+				opts := []quicreuse.Option{
+					quicreuse.ConnContext(func(ctx context.Context, clientInfo *quic.ClientInfo) (context.Context, error) {
+						// even if creating the quic maddr fails, let the rcmgr decide what to do with the connection
+						addr, err := quicreuse.ToQuicMultiaddr(clientInfo.RemoteAddr, quic.Version1)
+						if err != nil {
+							addr = nil
+						}
+						scope, err := rcmgr.OpenConnection(network.DirInbound, false, addr)
+						if err != nil {
+							return ctx, err
+						}
+						ctx = network.WithConnManagementScope(ctx, scope)
+						context.AfterFunc(ctx, func() {
+							scope.Done()
+						})
+						return ctx, nil
+					}),
+					quicreuse.VerifySourceAddress(func(addr net.Addr) bool {
+						return rcmgr.VerifySourceAddress(addr)
+					}),
+				}
 				if !cfg.DisableMetrics {
 					opts = append(opts, quicreuse.EnableMetrics(cfg.PrometheusRegisterer))
 				}

core/network/mocks/mock_resource_manager.go

@@ -1,6 +1,10 @@
 package network
 
 import (
+	"context"
+	"errors"
+	"net"
+
 	"github.com/libp2p/go-libp2p/core/peer"
 	"github.com/libp2p/go-libp2p/core/protocol"
 	"github.com/multiformats/go-multiaddr"
@@ -87,6 +91,10 @@ type ResourceManager interface {
 	// the end of the scope's span.
 	OpenConnection(dir Direction, usefd bool, endpoint multiaddr.Multiaddr) (ConnManagementScope, error)
 
+	// VerifySourceAddress tells the transport to verify the source address for an incoming connection
+	// before gating the connection with OpenConnection.
+	VerifySourceAddress(addr net.Addr) bool
+
 	// OpenStream creates a new stream scope, initially unnegotiated.
 	// An unnegotiated stream will be initially unattached to any protocol scope
 	// and constrained by the transient scope.
@@ -269,9 +277,30 @@ type ScopeStat struct {
 	Memory int64
 }
 
+// connManagementScopeKey is the key to store Scope in contexts
+type connManagementScopeKey struct{}
+
+func WithConnManagementScope(ctx context.Context, scope ConnManagementScope) context.Context {
+	return context.WithValue(ctx, connManagementScopeKey{}, scope)
+}
+
+func UnwrapConnManagementScope(ctx context.Context) (ConnManagementScope, error) {
+	v := ctx.Value(connManagementScopeKey{})
+	if v == nil {
+		return nil, errors.New("context has no ConnManagementScope")
+	}
+	scope, ok := v.(ConnManagementScope)
+	if !ok {
+		return nil, errors.New("context has no ConnManagementScope")
+	}
+	return scope, nil
+}
+
 // NullResourceManager is a stub for tests and initialization of default values
 type NullResourceManager struct{}
 
+var _ ResourceManager = (*NullResourceManager)(nil)
+
 var _ ResourceScope = (*NullScope)(nil)
 var _ ResourceScopeSpan = (*NullScope)(nil)
 var _ ServiceScope = (*NullScope)(nil)
@@ -306,6 +335,10 @@ func (n *NullResourceManager) OpenConnection(dir Direction, usefd bool, endpoint
 func (n *NullResourceManager) OpenStream(p peer.ID, dir Direction) (StreamManagementScope, error) {
 	return &NullScope{}, nil
 }
+func (*NullResourceManager) VerifySourceAddress(_ net.Addr) bool {
+	return false
+}
+
 func (n *NullResourceManager) Close() error {
 	return nil
 }
@@ -324,3 +357,4 @@ func (n *NullScope) ProtocolScope() ProtocolScope             { return &NullScop
 func (n *NullScope) SetProtocol(proto protocol.ID) error      { return nil }
 func (n *NullScope) ServiceScope() ServiceScope               { return &NullScope{} }
 func (n *NullScope) SetService(srv string) error              { return nil }
+func (n *NullScope) VerifySourceAddress(_ net.Addr) bool      { return false }

core/network/rcmgr.go

@@ -53,18 +53,18 @@ require (
 	github.com/pion/webrtc/v4 v4.0.14
 	github.com/prometheus/client_golang v1.21.0
 	github.com/prometheus/client_model v0.6.1
-	github.com/quic-go/quic-go v0.50.0
+	github.com/quic-go/quic-go v0.52.0
 	github.com/quic-go/webtransport-go v0.8.1-0.20241018022711-4ac2c9250e66
 	github.com/stretchr/testify v1.10.0
 	go.uber.org/fx v1.23.0
 	go.uber.org/goleak v1.3.0
-	go.uber.org/mock v0.5.0
+	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.35.0
-	golang.org/x/sync v0.11.0
-	golang.org/x/sys v0.30.0
+	golang.org/x/crypto v0.37.0
+	golang.org/x/sync v0.14.0
+	golang.org/x/sys v0.33.0
 	golang.org/x/time v0.11.0
-	golang.org/x/tools v0.30.0
+	golang.org/x/tools v0.32.0
 	google.golang.org/protobuf v1.36.5
 )
 
@@ -74,7 +74,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/google/pprof v0.0.0-20250208200701-d0013a598941 // indirect
+	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -83,7 +83,7 @@ require (
 	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/multiformats/go-base36 v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/onsi/ginkgo/v2 v2.22.2 // indirect
+	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/pion/dtls/v2 v2.2.12 // indirect
 	github.com/pion/dtls/v3 v3.0.4 // indirect
 	github.com/pion/interceptor v0.1.37 // indirect
@@ -103,12 +103,13 @@ require (
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
 	github.com/wlynxg/anet v0.0.5 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/dig v1.18.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa // indirect
-	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/net v0.35.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.4.0 // indirect
 )