[Feature Request]: Rate limit trace routes to every 3 min #6173
Comments
thebentern
added
the
high-priority
|
3 min may be too much, maybe 1 min. |
|
Since this will prevent the entire mesh from sending TRs |
|
No, 3 mins is a good idea. There's no reason you should be sending that many trace routes that often. A person's desire to see all the connections doesn't trump the stability of the mesh. I agree, the Mesh Sense software is making a lot of networks too unstable because a huge chunk of the traffic is just trace routes. |
|
I'm sorry but I would not be in favor of this. I regularly use traceroutes within three minutes to check connections to different nodes, or even to the same node when walking around. We already have a 30-second rate limit and I believe that suffices. In my opinion one piece of software doing automatic traceroutes should not prohibit sending traceroutes manually within three minutes. First, let's try to convince them to stop doing that. But ultimately you're using a public channel where anyone can do anything they like; we can enforce suitable defaults but let's also keep the fun of the hobby and not solely focus on the super large meshes. If we'd add this, the next thing people will do is, for example, manually crafting NeighborInfo packets and broadcasting them. With 2.6, traceroutes will also become more efficient. |
|
There's also the issue where a bad actor could use TRs with modified firmware to bring a mesh to its knees. |
|
A bad actor can easily bring a mesh to its knees; there's nothing we can do about that unfortunately.
I'm definitely not in favor of doing it in this way as you'll never be able to know whether the traceroute fails or whether it was just because the recipient (or a node in-between) was rate-limited. |
GUVWAF
removed
the
high-priority
Sure, I definitely get where you're coming from but I'm not sure I would classify 100 devices as a super large mesh anymore. I do believe that we've learned that education and pleases don't work as well as we'd like. I think eventually, likely pretty soon, we're going to have to implement a restriction like this on the default channel. Especially if Mesh Sense continues gaining popularity. We recently saw an example where someone was sending automatic traceroutes continuously and channel utilization was 45-55%. |
|
Then let's first try to convince Mesh Sense to increase the interval of their automatic requests: Affirmatech/MeshSense#64 |
|
I was also about to make an issue, you beat me to it lol |
|
Added a comment, I hope this gets resolved, or else I would recommend everyone to stop using it. |
|
@GUVWAF I have an idea. Perhaps instead of setting the static limits to traceroutes, we could scale the rate limit based on the number of online nodes similar to how we treat interval broadcasts. This obviously disproportionately affects larger meshes like @RCGV1's and the instance we documented in the Oregon mesh as well. |
That might be a reasonable approach, if the client notification then also says "You can request after x seconds again". Still I would apply the rate-limit only on the request, not on the reply or on intermediate hops. |
|
That sounds like a good approach and I agree @GUVWAF it should be on the request. |
|
I would then also limit it to if you have the default channel and frequency slot. I believe it should not affect private isolated meshes. |
It may be useful to also have a slightly coarser grained limit on the reply side in general. |
Agreed, I was thinking specifically the default. |
|
I'd support rate limiting on all features that can congest the mesh. We need some serious QOL improvements like this. |
|
Would it be possible to make a bad-actor-suppressor feature? It kicks in when channel utilisation is above X%. When too many packets (of any type) are received from a specific node, the feature will send a "reject" message to the bad-acting node. This way, the bad actor has to suppress its messages and/or receives a "traceroute might have failed because it was rejected" warning in the app. A 0-hop neighbour of the spamming node, could then stop relaying its messages to protect the rest of the mesh, whilst warning the bad node. |
This seems like a good idea to me (although it certainly adds some complexity to the firmware). The firmware already has some logic for "backing off" on things, maybe this could be leveraged for this as well? And perhaps make it specific to the type of message that is causing the spam, e.g., if it's a traceroute, don't prevent telemetry, DMs or locations from going through. Just thinking out loud, definitely adds potentially unwanted complexity. I also agree that the MeshSense folks should adjust their defaults. |
|
Here are examples of "traceroute storms". What seems to occur is many MeshSense instances tracing at each other as a result of being traced to... hop count constantly changing, and this amplifies over our very well connected meshes... ~140 nodes in MediumSlow, and 300-400 in LongFast. The traceroutes per hour fluctuate wildly from 6... to 500... back to 10... and so on. Since a traceroute is flooded, nodes get pulled into this fight when they see the inquiry. sqlite> SELECT strftime('%Y-%m-%d %H:00', import_time) AS hour, COUNT(*) AS packet_count 
No humans would be running 576 traces per hour and then 3... the next. Thats a storm finally resolving by hitting everyone's mesh sense limit and finally deflating. | 2025-02-28 07:00 | 576 | |
|
Would be good to open some issues on the meshsense repo especially if good logging is available like the previous comment, they have worked pretty quickly to implement the issues I have opened https://github.com/Affirmatech/MeshSense/issues |
|
|
MeshSense has now increased their defaults and enforced a minimum. I think this will already help a lot, since e.g. five manual traceroute requests within three minutes is much less harmful than continuously sending a traceroute every three minutes. |
Platform
Cross-Platform
Description
Currently, our mesh has only 100 nodes but channel util is 40%+ because trace routes are being sent very often by the Mesh Sense software. Because of how trace routes force every node in its path to send a response this creates a huge amount of traffic, just like position requests were recently rate limited to 3 min the same should be done for trace routes.
If a node receives a trace route it should refuse to respond to another trace route request within the next 3 min. (Even if it is not the target).
The text was updated successfully, but these errors were encountered: