SearchV2 DOS protection #1357

New issue

Open

opened 2025-12-28 17:22:41 +00:00 by sami · 4 comments

sami commented 2025-12-28 17:22:41 +00:00

Owner

Copy link

Originally created by @roman-khimov on GitHub (Feb 24, 2025).

Is your feature request related to a problem? Please describe.

I'm always frustrated when I realize that specifically crafted SearchV2 requests can make the node spend a lot of CPU cycles for nothing. Normal requests that want to quickly find something are no longer a problem, but some other can be.

Describe the solution you'd like

Add an iteration limit to the SearchV2 implementation. If we're making like 10K iterations with no results we're done, internal error is returned. The parameter is node-specific with this 10K default.

Describe alternatives you've considered

Time limits, but they're harder to check.

Additional context

#3058

Originally created by @roman-khimov on GitHub (Feb 24, 2025). ## Is your feature request related to a problem? Please describe. I'm always frustrated when I realize that specifically crafted SearchV2 requests can make the node spend a lot of CPU cycles for nothing. Normal requests that want to quickly find something are no longer a problem, but some other can be. ## Describe the solution you'd like Add an iteration limit to the SearchV2 implementation. If we're making like 10K iterations with no results we're done, internal error is returned. The parameter is node-specific with this 10K default. ## Describe alternatives you've considered Time limits, but they're harder to check. ## Additional context #3058

sami added the

neofs-storage

I3

U3

security

S3

config

labels 2025-12-28 17:22:41 +00:00

sami commented 2025-12-28 17:22:42 +00:00

Author

Owner

Copy link

@carpawell commented on GitHub (Feb 24, 2025):

What "iterations" means here?

@carpawell commented on GitHub (Feb 24, 2025): What "iterations" means here?

sami commented 2025-12-28 17:22:42 +00:00

Author

Owner

Copy link

@roman-khimov commented on GitHub (Feb 24, 2025):

Keys evaluated as per primary index.

@roman-khimov commented on GitHub (Feb 24, 2025): Keys evaluated as per primary index.

sami commented 2025-12-28 17:22:42 +00:00

Author

Owner

Copy link

@carpawell commented on GitHub (Feb 24, 2025):

So your suggestion does not allow to find (10K+1)th element ever?

@carpawell commented on GitHub (Feb 24, 2025): So your suggestion does not allow to find (10K+1)th element ever?

sami commented 2025-12-28 17:22:42 +00:00

Author

Owner

Copy link

@roman-khimov commented on GitHub (Feb 24, 2025):

SV2 works with 1000 items returned along with the continuation token normally and this will still work for regular uses since there is just 1000 iterations per request. But if you have 6M objects in a container you can create a query for non-existing object and I don't want to scan 6M (or whatever per-node share of it) of entries to answer that.

@roman-khimov commented on GitHub (Feb 24, 2025): SV2 works with 1000 items returned along with the continuation token normally and this will still work for regular uses since there is just 1000 iterations per request. But if you have 6M objects in a container you can create a query for non-existing object and I don't want to scan 6M (or whatever per-node share of it) of entries to answer that.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

put-ants-pool

lens-meta-resync

policer-boost-mode

fix-shard-evacuation-for-ec

fstree-head-buffer

initial-placement

test-metadata-contract

head-proxy-buffer

feat/meta-data-native-contract

local-head-buffer

head-local-bin

test/notary-lock

feat/meta-side-chain

notary-set-attribute

search-1000

ec-put-parallel

fix/incorrect-TS-placement

new-object-structure

get-forwarding

test-bolt

logs

decrease-prototick

bugfix/listen-maxobjsize-changes

2684-api-server-optimize-sig-verify

v0.51.1

v0.51.0

v0.50.2

v0.50.1

v0.50.0

v0.49.1

v0.49.0

v0.48.3

v0.48.2

v0.48.1

v0.48.0

v0.47.1

v0.47.0

v0.46.1

v0.46.0

v0.45.2

v0.45.1

v0.45.0

v0.44.2

v0.44.1

v0.44.0

v0.43.0

v0.42.1

v0.42.0

v0.41.1

v0.41.0

v0.40.1

v0.40.0

v0.39.2

v0.39.1

v0.39.0

v0.38.1

v0.38.0

v0.37.0

v0.36.1

v0.36.0

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.2

v0.30.1

v0.30.0

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.28.0-rc.3

v0.27.7

v0.27.6

v0.28.0-rc.2

v0.28.0-rc.1

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.27.0-rc.1

v0.26.1

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.1

v0.23.0

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.14.0-rc.1

v0.13.2

v0.13.1

v0.13.0

v0.13.0-rc.1

v0.12.1

v0.12.0

v0.12.0-rc3

v0.12.0-rc2

v0.12.0-rc1

v0.11.0

v0.10.0

Labels

Clear labels   

I1

  

I2

  

I3

  

I4

  

S0

  

S1

  

S2

  

S3

  

S4

  

U0

  

U1

  

U2

  

U3

  

U4

  

blocked

  

bug

  

config

  

dependencies

  

discussion

  

documentation

  

enhancement

  

enhancement

  

epic

  

feature

  

go

  

good first issue

  

help wanted

  

neofs-adm

  

neofs-cli

  

neofs-cli

  

neofs-cli

  

neofs-ir

  

neofs-lens

  

neofs-storage

  

neofs-storage

  

performance

  

question

  

security

  

task

  

test

  

windows

No labels

I1

I2

I3

I4

S0

S1

S2

S3

S4

U0

U1

U2

U3

U4

blocked

bug

config

dependencies

discussion

documentation

enhancement

enhancement

epic

feature

go

good first issue

help wanted

neofs-adm

neofs-cli

neofs-cli

neofs-cli

neofs-ir

neofs-lens

neofs-storage

neofs-storage

performance

question

security

task

test

windows

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

nspcc-dev/neofs-node#1357

No description provided.