A DoS attack vector

qwertytrewq · July 16, 2024, 5:16pm

The following is a DoS attack vector:

Notice that a user or a group of users uses a given subnet.
Keep creating new canisters and use their memory, until creation of a new canister in this subnet becomes impossible.

So, the user after this won’t be able to use memory resources of “his” subnet.

Proposed defense: Allow to create a subnet with a set of “controllers”. Only controllers would be able to create a new canister on the subnet. Controllers also are able to change the set of controllers.

Severin · July 17, 2024, 7:42am

There is already such a mechanism. This function on the CMC shows the mapping of which principal is allowed to target which subnet

qwertytrewq · July 17, 2024, 8:02am

How is this mapping decided?

Severin · July 17, 2024, 8:04am

By proposals. I don’t remember which topic they’re under

Topic		Replies	Views
Announcing New Security Best Practices Documentation: Protect Against Denial of Service (DoS) Attacks Developers	4	208	September 14, 2024
DOS Protection Capabilities to SmartCanisters Developers	1	272	December 24, 2022
Proposal 126769: Update list of default subnets Governance	2	2020	December 21, 2023
Not Authorized to Create Canisters on Public Subnet Command Line Tools dfx	5	50	February 4, 2025
How to protect against DoS attacks? Developers	3	168	June 8, 2024

A DoS attack vector

Related topics