checkpoints: reduce ban time to 300s

Author: vtnerd

src/cryptonote_basic/verification_context.h

@@ -71,5 +71,6 @@ namespace cryptonote
     bool m_partial_block_reward;
     bool m_bad_pow; // if bad pow, ban peer outright for DoS protection
     bool m_missing_txs; // set if, during verif, we don't have all the necessary txs available
+    bool m_failed_checkpoint;
   };
 }

src/cryptonote_config.h

@@ -154,6 +154,7 @@
 
 #define P2P_FAILED_ADDR_FORGET_SECONDS                  (60*60)     //1 hour
 #define P2P_IP_BLOCKTIME                                (60*60*24)  //24 hour
+#define P2P_IP_BLOCKTIME_LIGHT                          (60*5)      // 5 mins
 #define P2P_IP_FAILS_BEFORE_BLOCK                       10
 #define P2P_IDLE_CONNECTION_KILL_INTERVAL               (5*60) //5 minutes
 

src/cryptonote_core/blockchain.cpp

@@ -1885,6 +1885,7 @@ bool Blockchain::handle_alternative_block(const block& b, const crypto::hash& id
   {
     MERROR_VER("Block with id: " << id << std::endl << " can't be accepted for alternative chain, block height: " << block_height << std::endl << " blockchain height: " << get_current_blockchain_height());
     bvc.m_verifivation_failed = true;
+    bvc.m_failed_checkpoint = true;
     return false;
   }
 

src/cryptonote_protocol/cryptonote_protocol_handler.h

@@ -159,7 +159,7 @@ namespace cryptonote
     void drop_connection(cryptonote_connection_context &context, bool add_fail, bool flush_all_spans);
     void drop_connection_with_score(cryptonote_connection_context &context, unsigned int score, bool flush_all_spans);
     void drop_connection(const boost::uuids::uuid&);
-    void drop_connections(const epee::net_utils::network_address address);
+    void drop_connections(const epee::net_utils::network_address address, unsigned score = 5, bool block_light = false);
     bool kick_idle_peers();
     bool check_standby_peers();
     bool update_sync_search();

src/cryptonote_protocol/cryptonote_protocol_handler.inl

@@ -1527,7 +1527,7 @@ namespace cryptonote
 
             if(bvc.m_verifivation_failed)
             {
-              drop_connections(span_origin);
+              drop_connections(span_origin, 5, bvc.m_failed_checkpoint);
               if (!m_p2p->for_connection(span_connection_id, [&](cryptonote_connection_context& context, nodetool::peerid_type peer_id, uint32_t f)->bool{
                 LOG_PRINT_CCONTEXT_L1("Block verification failed, dropping connection");
                 drop_connection_with_score(context, bvc.m_bad_pow ? P2P_IP_FAILS_BEFORE_BLOCK : 1, true);
@@ -2821,11 +2821,11 @@ skip:
   }
   //------------------------------------------------------------------------------------------------------------------------
   template<class t_core>
-  void t_cryptonote_protocol_handler<t_core>::drop_connections(const epee::net_utils::network_address address)
+  void t_cryptonote_protocol_handler<t_core>::drop_connections(const epee::net_utils::network_address address, unsigned score, bool block_light)
   {
     MWARNING("dropping connections to " << address.str());
 
-    m_p2p->add_host_fail(address, 5);
+    m_p2p->add_host_fail(address, score, block_light);
 
     std::vector<boost::uuids::uuid> drop;
     m_p2p->for_each_connection([&](const connection_context& cntxt, nodetool::peerid_type peer_id, uint32_t support_flags) {

src/p2p/net_node.h

@@ -350,7 +350,7 @@ namespace nodetool
     virtual void request_callback(const epee::net_utils::connection_context_base& context);
     virtual void for_each_connection(std::function<bool(typename t_payload_net_handler::connection_context&, peerid_type, uint32_t)> f);
     virtual bool for_connection(const boost::uuids::uuid&, std::function<bool(typename t_payload_net_handler::connection_context&, peerid_type, uint32_t)> f);
-    virtual bool add_host_fail(const epee::net_utils::network_address &address, unsigned int score = 1);
+    virtual bool add_host_fail(const epee::net_utils::network_address &address, unsigned int score = 1, bool block_light = false);
     //----------------- i_connection_filter  --------------------------------------------------------
     virtual bool is_remote_host_allowed(const epee::net_utils::network_address &address, time_t *t = NULL);
     //----------------- i_connection_limit  ---------------------------------------------------------
@@ -509,6 +509,7 @@ namespace nodetool
 
     epee::critical_section m_host_fails_score_lock;
     std::map<std::string, uint64_t> m_host_fails_score;
+    std::map<std::string, uint64_t> m_host_fails_score_light;
 
     boost::mutex m_used_stripe_peers_mutex;
     std::array<std::list<epee::net_utils::network_address>, 1 << CRYPTONOTE_PRUNING_LOG_STRIPES> m_used_stripe_peers;

src/p2p/net_node.inl

@@ -403,20 +403,21 @@ namespace nodetool
   }
   //-----------------------------------------------------------------------------------
   template<class t_payload_net_handler>
-  bool node_server<t_payload_net_handler>::add_host_fail(const epee::net_utils::network_address &address, unsigned int score)
+  bool node_server<t_payload_net_handler>::add_host_fail(const epee::net_utils::network_address &address, unsigned int score, bool block_light)
   {
     if(!address.is_blockable())
       return false;
 
     CRITICAL_REGION_LOCAL(m_host_fails_score_lock);
-    uint64_t fails = m_host_fails_score[address.host_str()] += score;
+    auto& host_fails_score = block_light ? m_host_fails_score_light : m_host_fails_score;
+    uint64_t fails = host_fails_score[address.host_str()] += score;
     MDEBUG("Host " << address.host_str() << " fail score=" << fails);
     if(fails > P2P_IP_FAILS_BEFORE_BLOCK)
     {
-      auto it = m_host_fails_score.find(address.host_str());
-      CHECK_AND_ASSERT_MES(it != m_host_fails_score.end(), false, "internal error");
+      auto it = host_fails_score.find(address.host_str());
+      CHECK_AND_ASSERT_MES(it != host_fails_score.end(), false, "internal error");
       it->second = P2P_IP_FAILS_BEFORE_BLOCK/2;
-      block_host(address);
+      block_host(address, block_light ? P2P_IP_BLOCKTIME_LIGHT : P2P_IP_BLOCKTIME);
     }
     return true;
   }

src/p2p/net_node_common.h

@@ -64,7 +64,7 @@ namespace nodetool
     virtual bool unblock_host(const epee::net_utils::network_address &address)=0;
     virtual std::map<std::string, time_t> get_blocked_hosts()=0;
     virtual std::map<epee::net_utils::ipv4_network_subnet, time_t> get_blocked_subnets()=0;
-    virtual bool add_host_fail(const epee::net_utils::network_address &address, unsigned int score = 1)=0;
+    virtual bool add_host_fail(const epee::net_utils::network_address &address, unsigned int score = 1, bool block_light = false)=0;
     virtual void add_used_stripe_peer(const t_connection_context &context)=0;
     virtual void remove_used_stripe_peer(const t_connection_context &context)=0;
     virtual void clear_used_stripe_peers()=0;
@@ -122,7 +122,7 @@ namespace nodetool
     {
       return std::map<epee::net_utils::ipv4_network_subnet, time_t>();
     }
-    virtual bool add_host_fail(const epee::net_utils::network_address &address, unsigned int score)
+    virtual bool add_host_fail(const epee::net_utils::network_address &address, unsigned int score, bool block_light)
     {
       return true;
     }

tests/unit_tests/node_server.cpp

@@ -608,7 +608,7 @@ TEST(cryptonote_protocol_handler, race_condition)
         core_protocol->on_connection_close(context);
     }
     virtual ~net_node_t() override {}
-    virtual bool add_host_fail(const address_t&, unsigned int = {}) override {
+    virtual bool add_host_fail(const address_t&, unsigned int = {}, bool = {}) override {
       return {};
     }
     virtual bool block_host(address_t address, time_t = {}, bool = {}) override {