DOS / snooping / blocking malicious access #39
Description
One trivial point is to ensure no security leaks from arbitrary server access.
More important, considering DOS/snooping generally from client-> server. We don't want:
- Costless initiation of transactions, locking server utxos. This is addressed by Fees implementation as per #8 #30 in as much as client cannot backout without paying fees.
- Costless setup of parameters, which requires use of an address by the server (see Bad faith taker spy not filling orders so that it learns which UTXOs belong to which maker, allowing future unmixing JoinMarket-Org/joinmarket#156). A critical difference here is that this only grabs fresh addresses, which will not be used again by the server, it does not get utxo information. The client only sees the server utxos at the point they're consumed on the blockchain (TX1), at which point the client has already committed, with confirmations, his own TX0, which costs him to back out. For this reason, I don't think this attack has any real incentive, in the way that it did in pre-0.2 Joinmarket, so it isn't as big of a concern.
- Too many simultaneous requests/coinswaps: currently the server has a configurable
maximum_concurrent_coinswaps(default 3), it will report "busy" to clients after that and refuse to negotiate until one of the pre-existing ones is finished. - General DOS with request flooding. This point will need more addressing, somehow.