p2p: protect addnode peers during IBD #32051

pull jonatack wants to merge 4 commits into bitcoin:master from jonatack:2025-03-addnode-p2p changing 2 files +17 −8
  1. jonatack commented at 3:27 am on March 13, 2025: member

    When an addnode peer is disconnected by our IBD headers/blocks download timeout or stalling logic, ThreadOpenAddedConnections attempts to immediately reconnect it (unless “onetry” was passed to the addnode RPC) up to the limit of 8 addnode connections that is separate from regular peer connection limits.

    During IBD in a low-bandwidth environment, I see these disconnections+reconnections very frequently with high-quality addnode peers; see https://www.erisian.com.au/bitcoin-core-dev/log-2025-01-22.html#l-85. The logging for these disconnections was: “Peer is stalling block download, disconnecting .” The ping times of the affected peers were often 20-100 seconds.

    After IBD, I continue to see the following addnode peer disconnections, albeit much less frequently: “Timeout downloading block , disconnecting .”

    This is probably network, resource and time intensive to an extent, particularly in the case of I2P peers that involves destroying and rebuilding 2 tunnels per peer connection, and worth avoiding where it is simple to do so.

    Automatic (non-manually added) peers are also disconnected, but they are a different category and case (non-trusted non-protected peers, no immediate reconnection) that would require monitoring over time to adjust the timeouts accordingly; mzumsande was looking into this (see https://www.erisian.com.au/bitcoin-core-dev/log-2025-01-22.html#l-105).

    The goal of this pull is therefore to avoid unnecessary disconnections/immediate reconnections of addnode peers.

  2. p2p: allow BLOCK_STALLING_TIMEOUT_MAX for addnode peers 921b89e1d4
  3. DrahtBot commented at 3:27 am on March 13, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32051.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK pinheadmz, yuvicc
    Concept ACK vasild, enirox001, hodlinator, 1440000bytes, l0rinc

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  4. DrahtBot added the label P2P on Mar 13, 2025
  5. fanquake commented at 3:33 am on March 13, 2025: member 
    0[23:32:25.656] /ci_container_base/src/rpc/net.cpp:310:125: error: invalid operands to binary expression ('const char[198]' and 'const char[196]')
1[23:32:25.656]                 "Nodes added using addnode (or -connect) are protected from disconnection due to DoS or IBD header/block\n" +
2[23:32:25.656]                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
3[23:32:25.656] 1 error generated.
  6. jonatack force-pushed on Mar 13, 2025
  7. DrahtBot commented at 3:35 am on March 13, 2025: contributor

    🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/38682150505

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

  8. DrahtBot added the label CI failed on Mar 13, 2025
  9. p2p: don't disconnect addnode peers for block download timeout 3463a7f481
  10. p2p: don't disconnect addnode peers for slow initial-headers-sync 64b956f422
  11. rpc, doc: update addnode documentation 93b07997e9
  12. jonatack force-pushed on Mar 13, 2025
  13. DrahtBot removed the label CI failed on Mar 13, 2025
  14. jonatack marked this as ready for review on Mar 13, 2025
  15. jonatack commented at 3:32 pm on March 13, 2025: member
    Ready for review.
  16. in src/net_processing.cpp:5806 in 93b07997e9 
    5802@@ -5801,16 +5803,21 @@ bool PeerManagerImpl::SendMessages(CNode* pto)
5803             return true;
5804         }
5805         // In case there is a block that has been in flight from this peer for block_interval * (1 + 0.5 * N)
5806-        // (with N the number of peers from which we're downloading validated blocks), disconnect due to timeout.
5807+        // (with N the number of peers from which we're downloading validated blocks), disconnect due to timeout
    yancyribbens commented at 4:58 pm on March 14, 2025: 
    0        // (with N being the number of peers from which we're downloading validated blocks), disconnect due to timeout
    l0rinc commented at 9:29 pm on August 14, 2025:
    Agree, since you’re already touching it, consider updating for grammatical correctness
  17. in src/net_processing.cpp:5818 in 3463a7f481 outdated 
    5816-                LogInfo("Timeout downloading block %s, %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
5817-                pto->fDisconnect = true;
5818+                if (pto->IsManualConn()) {
5819+                    LogInfo("Timeout downloading block %s from addnode peer, not %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
5820+                } else {
5821+                    LogInfo("Timeout downloading block %s, %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
    mzumsande commented at 5:38 pm on March 17, 2025:
    This is not the timeout specific for IBD stalling but the general one (which is generally longer). So we’d still disconnect for stalling (see log message “Peer is stalling block download”) - is that on purpose / can you explain a bit more the reasoning behind this?
  18. mzumsande commented at 5:45 pm on March 17, 2025: contributor

    I think the main conceptual question is what should happen in the case of a stalling situation where the addnode peer is actually slow and causing congestion?

    While we have more trust in manual peers than automatic ones, I don’t think that means the trust should be without bounds. Even trusted nodes can become unresponsive temporarily (e.g. very slow internet). I’m not sure if we should give one addnode peer the power to let our entire IBD come to a halt completely.

    An alternative would be to not give these peers unlimited time but clear their block requests (so that these blocks can be requested from other peers) so that they wouldn’t be disconnected but also wouldn’t be able to stall us indefinitely.

  19. hodlinator commented at 10:56 pm on March 28, 2025: contributor

    I think the main conceptual question is what should happen in the case of a stalling situation where the addnode peer is actually slow and causing congestion?

    Maybe one could add yet another option to make manually specified nodes be treated with extra leniency? First I was thinking that maybe we could treat -connect-nodes vs -addnodes differently automatically in this respect. But it would be more natural for -connect to be protected, and your (jonatack’s) use-case is -addnode from what I gather.

  20. ajtowns commented at 0:13 am on April 24, 2025: contributor

    I think the main conceptual question is what should happen in the case of a stalling situation where the addnode peer is actually slow and causing congestion?

    IMHO: It could be nice if we could “score” peers during IBD, and scale the number of blocks we request from them at once according to that score. In that case, automatic peers with low scores would get dropped, and manual peers with low scores would just not get any blocks requested.

  21. jonatack commented at 0:21 am on April 24, 2025: member
    Appreciate the thoughtful feedback. I’ll look at an update.
  22. in src/net_processing.cpp:5816 in 3463a7f481 outdated 
    5814             int nOtherPeersWithValidatedDownloads = m_peers_downloading_from - 1;
5815             if (current_time > state.m_downloading_since + std::chrono::seconds{consensusParams.nPowTargetSpacing} * (BLOCK_DOWNLOAD_TIMEOUT_BASE + BLOCK_DOWNLOAD_TIMEOUT_PER_PEER * nOtherPeersWithValidatedDownloads)) {
5816-                LogInfo("Timeout downloading block %s, %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
5817-                pto->fDisconnect = true;
5818+                if (pto->IsManualConn()) {
5819+                    LogInfo("Timeout downloading block %s from addnode peer, not %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
    naiyoma commented at 9:15 am on April 30, 2025:
    nit: I think the message can be a bit clearer, e.g., “Timeout downloading block %s from manual peer (addnode/connect), not disconnecting
  23. 1440000bytes commented at 1:23 am on May 23, 2025: none
    Concept ACK
  24. achow101 added the label Review club on May 23, 2025
  25. vasild commented at 6:23 am on May 23, 2025: contributor

    Concept ACK to improve this, but:

    what should happen in the case of a stalling situation where the addnode peer is actually slow and causing congestion? … one addnode peer the power to let our entire IBD come to a halt completely

    Would it be too difficult to request a given block from more than one peer concurrently? That is, if a block is requested from a peer and not received within some time, then request it from other(s) as well, but don’t cancel the original request. Then we take the block from whoever delivers it first. Subsequent receptions of the block from others would be an excess/redundant traffic, but I guess that is ok, if this technique is used carefully. Is this the same:

    An alternative would be to not give these peers unlimited time but clear their block requests (so that these blocks can be requested from other peers)

  26. in src/net_processing.cpp:5840 in 64b956f422 outdated 
    5838                         LogInfo("Timeout downloading headers, %s\n", pto->DisconnectMsg(fLogIPs));
5839                         pto->fDisconnect = true;
5840                         return true;
5841                     } else {
5842-                        LogInfo("Timeout downloading headers from noban peer, not %s\n", pto->DisconnectMsg(fLogIPs));
5843+                        LogInfo("Timeout downloading headers from %s peer, not %s\n", pto->IsManualConn() ? "addnode" : "noban", pto->DisconnectMsg(fLogIPs));
    pinheadmz commented at 2:41 pm on May 23, 2025:

    64b956f4220300254126b166deb97849b236c2ed

    Nit: could you use NetPermissions::ToStrings(NetPermissionFlags flags) just to avoid hard coding things?

  27. pinheadmz commented at 2:46 pm on May 23, 2025: member

    concept ACK and untested code review 93b07997e9

    I believe this also closes an 11-year-old issue: #5097

  28. DrahtBot requested review from vasild on May 23, 2025
  29. pinheadmz commented at 2:48 pm on May 23, 2025: member

    I think the main conceptual question is what should happen in the case of a stalling situation where the addnode peer is actually slow and causing congestion?

    If we’re considering a case where the user specifically chooses specific peers for IBD for privacy or whatever reasons, don’t we just let them have the slow sync they trade-off for?

  30. yuvicc commented at 1:54 pm on May 26, 2025: contributor
    Concept ACK
  31. yuvicc commented at 8:17 am on May 28, 2025: contributor

    Code Review ACK 93b07997e9a38523f5ab850aa32ca57983fd2552

    I’ve made a review notes for this pr -> here

  32. stringintech commented at 9:13 am on May 28, 2025: contributor

    An alternative would be to not give these peers unlimited time but clear their block requests (so that these blocks can be requested from other peers) so that they wouldn’t be disconnected but also wouldn’t be able to stall us indefinitely.

    This makes sense, as the PR tries to achieve a similar goal with initial headers sync timeouts in commit 64b956f - when a timeout occurs, the sync state is reset to allow retrying with other peers while preserving the connection, and the PR extends this behavior to also apply to addnode peers.

  33. enirox001 commented at 7:23 pm on May 28, 2025: contributor

    Concept ACK and Code Review ACK.

    I think the PR’s increased timeout tolerance for addnode peers is valuable. Given my limited domain knowledge, I’d suggest test coverage on potential silent stalls to ensure blocks are efficiently re-requested

  34. achow101 commented at 10:24 pm on June 2, 2025: member

    I think the main conceptual question is what should happen in the case of a stalling situation where the addnode peer is actually slow and causing congestion?

    I’d like to see this addressed before moving forward here.

    Maybe one could add yet another option to make manually specified nodes be treated with extra leniency?

    It could be a whitebind/whitelist option.

  35. in src/net_processing.cpp:5816 in 93b07997e9 
    5814             int nOtherPeersWithValidatedDownloads = m_peers_downloading_from - 1;
5815             if (current_time > state.m_downloading_since + std::chrono::seconds{consensusParams.nPowTargetSpacing} * (BLOCK_DOWNLOAD_TIMEOUT_BASE + BLOCK_DOWNLOAD_TIMEOUT_PER_PEER * nOtherPeersWithValidatedDownloads)) {
5816-                LogInfo("Timeout downloading block %s, %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
5817-                pto->fDisconnect = true;
5818+                if (pto->IsManualConn()) {
5819+                    LogInfo("Timeout downloading block %s from addnode peer, not %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
    hodlinator commented at 1:49 pm on June 3, 2025:
    Is there any risk that this log message becomes spammy if we keep the peer connected? - Should we do something like reset state.m_downloading_since to current_time, clear state.vBlocksInFlight or add another state-field to throttle the log?
    l0rinc commented at 7:27 pm on August 14, 2025:
    While it could still be spammy, #32604 should mitigate it somewhat.
  36. pinheadmz commented at 1:55 pm on June 3, 2025: member
    @achow101 re: slow preferred peer “causing congestion” – wouldn’t this only affect the single user who explicitly set the preferred peer?
  37. hodlinator commented at 2:15 pm on June 3, 2025: contributor
    Concept ACK 93b07997e9a38523f5ab850aa32ca57983fd2552
  38. achow101 commented at 0:28 am on July 4, 2025: member

    @achow101 re: slow preferred peer “causing congestion” – wouldn’t this only affect the single user who explicitly set the preferred peer?

    Yes, however I have seen people post on various forums suggestions of specific nodes that they can addnode, and users may be addnode’ing such nodes without realizing that there are potential adverse consequences of doing so. Generally, I would prefer to have things that change how we treat nodes be limited to the whitelist options rather than addnode also implying that those nodes will get specific special treatment.

  39. fanquake referenced this in commit 5d17e64a02 on Jul 15, 2025
  40. glozow commented at 3:16 pm on August 11, 2025: member
    What’s the status / are you still working on this? It doesn’t look like #32051 (comment) has been addressed
  41. jonatack commented at 3:30 pm on August 11, 2025: member
    Yes, I plan to update this as mentioned at the last meeting: https://www.erisian.com.au/bitcoin-core-dev/log-2025-08-07.html#l-302
  42. in src/net_processing.cpp:5789 in 921b89e1d4 outdated 
    5785@@ -5786,7 +5786,9 @@ bool PeerManagerImpl::SendMessages(CNode* pto)
5786 
5787         // Detect whether we're stalling
5788         auto stalling_timeout = m_block_stalling_timeout.load();
5789-        if (state.m_stalling_since.count() && state.m_stalling_since < current_time - stalling_timeout) {
5790+        // Allow more time for addnode peers
    l0rinc commented at 7:46 pm on August 14, 2025:

    I find it a bit confusing, I’d prefer separating stall detection logic from the action we take. Peers are stalling regardless of whether they’re added manually or not, so the stalling logic should be unaffected.

    I think we should always log when a stall is detected, even for manual peers, so operators can see what’s happening:

    • for automatic peers, disconnect as usual;
    • for manual peers, only disconnect if they exceed BLOCK_STALLING_TIMEOUT_MAX - otherwise keep them connected.

    That way the logs clearly show tolerated stalls, and the policy difference is obvious without blending it into the timeout calculation, something like:

     0diff --git a/src/net_processing.cpp b/src/net_processing.cpp
 1--- a/src/net_processing.cpp	(revision 8405fdb06e8ff3220590bfac84e98547067ec6b7)
 2+++ b/src/net_processing.cpp	(date 1755201170971)
 3@@ -5814,14 +5814,16 @@
 4             // the download window should be much larger than the to-be-downloaded set of blocks, so disconnection
 5             // should only happen during initial block download.
 6             LogInfo("Peer is stalling block download, %s\n", pto->DisconnectMsg(fLogIPs));
 7-            pto->fDisconnect = true;
 8-            // Increase timeout for the next peer so that we don't disconnect multiple peers if our own
 9-            // bandwidth is insufficient.
10-            const auto new_timeout = std::min(2 * stalling_timeout, BLOCK_STALLING_TIMEOUT_MAX);
11-            if (stalling_timeout != new_timeout && m_block_stalling_timeout.compare_exchange_strong(stalling_timeout, new_timeout)) {
12-                LogDebug(BCLog::NET, "Increased stalling timeout temporarily to %d seconds\n", count_seconds(new_timeout));
13-            }
14-            return true;
15+            if (!pto->IsManualConn() || state.m_stalling_since < current_time - BLOCK_STALLING_TIMEOUT_MAX) { // Allow more time for addnode peers
16+                pto->fDisconnect = true;
17+                // Increase timeout for the next peer so that we don't disconnect multiple peers if our own
18+                // bandwidth is insufficient.
19+                const auto new_timeout = std::min(2 * stalling_timeout, BLOCK_STALLING_TIMEOUT_MAX);
20+                if (stalling_timeout != new_timeout && m_block_stalling_timeout.compare_exchange_strong(stalling_timeout, new_timeout)) {
21+                    LogDebug(BCLog::NET, "Increased stalling timeout temporarily to %d seconds\n", count_seconds(new_timeout));
22+                }
23+                return true;
24+            }
25         }
26         // In case there is a block that has been in flight from this peer for block_interval * (1 + 0.5 * N)
27         // (with N the number of peers from which we're downloading validated blocks), disconnect due to timeout.

    I would also prefer seeing a motivation being explained in the commit message for this change, maybe something like:

    0p2p: allow BLOCK_STALLING_TIMEOUT_MAX for addnode peers
1
2When a manually added peer stalls during IBD, the default timeout is often too short for high-latency/low-bandwidth environments.
3This results in frequent disconnect/reconnect cycles, especially over Tor/I2P, which are wasteful and slow down IBD.
4
5This change uses `BLOCK_STALLING_TIMEOUT_MAX` for manual peers when detecting block download stalls, giving them a longer grace period before disconnection.
6Non-manual peers keep the existing timeout and behavior.
  43. in src/net_processing.cpp:5820 in 3463a7f481 outdated 
    5818+                if (pto->IsManualConn()) {
5819+                    LogInfo("Timeout downloading block %s from addnode peer, not %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
5820+                } else {
5821+                    LogInfo("Timeout downloading block %s, %s\n", queuedBlock.pindex->GetBlockHash().ToString(), pto->DisconnectMsg(fLogIPs));
5822+                    pto->fDisconnect = true;
5823+                }
    l0rinc commented at 9:37 pm on August 14, 2025:

    We’re logging very similarly in both cases, most of the message and params are duplicated, I think it would help if we extracted the differences in code instead of heaving to compile both in our heads, e.g. something like:

    0                LogInfo("Timeout downloading block %s (%s)",
1                    queuedBlock.pindex->GetBlockHash().ToString(),
2                    pto->IsManualConn() ? "addnode peer, keeping" : pto->DisconnectMsg(fLogIPs));
3                pto->fDisconnect = !pto->IsManualConn();

    Note: that the fDisconnect value is also simpler if we assign it unconditionally

    Or if @mzumsande is correct and this is meant to be done in the condition above, consider:

    0LogInfo("Peer is stalling block download (%s)\n",
1        pto->IsManualConn() ? "addnode peer, keeping" : pto->DisconnectMsg(fLogIPs));
2pto->fDisconnect = !pto->IsManualConn();
  44. in src/net_processing.cpp:5830 in 64b956f422 outdated 
    5825@@ -5826,17 +5826,18 @@ bool PeerManagerImpl::SendMessages(CNode* pto)
5826             // Detect whether this is a stalling initial-headers-sync peer
5827             if (m_chainman.m_best_header->Time() <= NodeClock::now() - 24h) {
5828                 if (current_time > peer->m_headers_sync_timeout && nSyncStarted == 1 && (m_num_preferred_download_peers - state.fPreferredDownload >= 1)) {
5829-                    // Disconnect a peer (without NetPermissionFlags::NoBan permission) if it is our only sync peer,
5830+                    // Disconnect a peer (if it is neither an addnode peer, nor has
5831+                    // NetPermissionFlags::NoBan permission) if it is our only sync peer
    l0rinc commented at 9:53 pm on August 14, 2025:

    I find this nesting quite confusing now, consider something like:

    0                    // If this peer is our only active sync peer, and we have other peers
1                    // available for syncing, disconnect it - unless it is an addnode peer
2                    // or has NetPermissionFlags::NoBan permission.
  45. in src/rpc/net.cpp:308 in 93b07997e9 
    306@@ -307,7 +307,8 @@ static RPCHelpMan addnode()
307     return RPCHelpMan{"addnode",
308                 "\nAttempts to add or remove a node from the addnode list.\n"
    l0rinc commented at 9:56 pm on August 14, 2025:
    This needs a rebase
  46. in src/rpc/net.cpp:311 in 93b07997e9 
    306@@ -307,7 +307,8 @@ static RPCHelpMan addnode()
307     return RPCHelpMan{"addnode",
308                 "\nAttempts to add or remove a node from the addnode list.\n"
309                 "Or try a connection to a node once.\n"
310-                "Nodes added using addnode (or -connect) are protected from DoS disconnection and are not required to be\n"
311+                "Nodes added using addnode (or -connect) are protected from disconnection due to DoS or IBD header/block\n"
312+                "download timeouts (and given more time before considered to be stalling), and are not required to be\n"
    l0rinc commented at 9:59 pm on August 14, 2025: 
    0                "download timeouts (and are given more time before being considered stalled), and are not required to be\n"
  47. l0rinc changes_requested
  48. l0rinc commented at 10:00 pm on August 14, 2025: contributor
    Concept ACK


jonatack DrahtBot fanquake yancyribbens l0rinc mzumsande hodlinator ajtowns naiyoma 1440000bytes vasild pinheadmz yuvicc stringintech enirox001 achow101 glozow


vasild

Labels
P2P Review club

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-08-15 15:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me