Do I need to implement own rate limitting / DOS protection?

[dpc]

E.g. if I spawn a task to handle every incoming stream, do I need to add some limits to not allow malicious resource exhaustion? What about connections? Does Iroh by default handle any per-IP rate limiting etc.?

[matheus23]

No, iroh doesn't do per-IP rate limiting by default.
When you accept an incoming connection, you get access to the very first packet, before any work is done parsing it, in the form of the Incoming struct.
I think at the moment, you won't be able to really use its Incoming::remote_address, since internally iroh behaves like a small NAT, and what you see is the translated IP address (we do this to choose between relay & direct addresses behind the translated address).

[flub]

Since you are asking about every incoming stream: QUIC by defaults has a limit for the maximum concurrent streams allowed in a connection.

This can be set when the connection is created using TransportConfig::max_concurrent_bidi_streams and TransportConfig::max_concurrent_uni_streams. Or, once you have a connection, can be adjusted at any time using the Connection::set_max_concurrent_bi_streams and Connection::set_max_concurrent_uni_streams.

By default we currently have this set to a 100 bi-directional streams and 100 uni-directional streams, the upstream Quinn default.

For connections @matheus23's answer is comprehensive. We need to spend some time on giving folks better tools there. Of course per-IP rate-limiting is tricky in p2p context since on large NAT-networks it is easy to DOS legitimate traffic that way.