feat: DOS protection of non relay protocols - rate limit phase3

[NagyZoltanPeter]

Description

This PR is the final phase for Rate Limiting non relay protocols.

Aimed three major target:

• Protect filter service on its specific needs.
  • Allow only a reasonable amount of subscribe/unsubscribe and ping requests for each client peer.
  • Such peer measurement is loosely coupled with maintained subscribed peers.
• Add fair usage of lightpush and store protocols per peers. Do not allow one/few peers to overload the service.
• Extend TokenBucket with load balancing.
  • Replenish calculation can consider previous period load and can apply more tokens thus compensating lower resource usage of previous period (capped with 25% threshold)

Remark in this version while lightpush and store protocols' protection can be configured from CLI by default it is switched off.

Notice for reviewers:

• Filter protocol has an arbitrary limit applied per peers (30 req / 1 min / peer)

• RequestRateLimiter applies a ratio calculation for managing fair usage of peers.

  • Thus, while main token bucket applies a global token capacity within a certain period of time. Peer allowed usage is managed as a factor of this.

Calculated as "main token capacity" * ratio * 75% over (main time period) * ratio
In other words when a peer used 75% of the previous n periods token capacity it gets rejected in order to let small users go up until main token capacity is not reached.
Of course, big usage peers will be replenished also but only after the "n" period of time.

The ratio is calculated currently as - if main time period is set to:

• less than a second -> 10x
• less than a minute -> 3x
• anything above that -> 2x ratio applied

This is debatable I wanted to apply reasonable scale in time on the applied multiplication factor.

Peer measurement also time capped, non requester peers will be wiped out from the store.

Changes

• Enhanced TokenBucket to be able to add compensation tokens based on previous usage percentage,
• per peer rate limiter 'PeerRateLimier' applied on waku_filter_v2 with opinionated default of acceptable request rate
• Add traffic metrics to filter message push
• RequestRateLimiter added to combine simple token bucket limiting of request numbers but consider per peer usage over time and prevent some peers to over use the service (although currently rule violating peers will not be disconnected by this time only their requests will get not served)
• TimedMap utility created (inspired and taken from libp2p TimedCache) which serves as forgiving feature for peers had been overusing the service.
• Applied new RequestRateLimiter to store and lightpush protocols
• Added more tests
• Fix rebase issues

How to test

Unit tests applied.

Issue

#2683 covers #2032

[github-actions]

You can find the image built from this PR at

quay.io/wakuorg/nwaku-pr:2897

Built from 8325b5b

[SionoiS]

Amazing work!

As for what settings to use, it's hard to say. Real usage would be how we determine that.

[jm-clius]

Really great work! 🎉

Only very minor comments below.

[gabrielmer]

Looks amazing! 🔥 🔥
Thanks so much!

[Ivansete-status]

LGTM! Thanks for it! 💯
I just added some comments that I hope you find useful :)