Etherium Response on API Security: how GraphQL CRASH blockchain
Geth, the Go Ethereum node, is integral to Ethereum networks. Though packed with features, it’s not bulletproof. Case in point: the GraphQL API. This API was susceptible to DoS attacks through improper query handling.
The Exploit
A GraphQL query with an expansive range for fromBlock and toBlock in eth_getLogs could sink server performance.
{ logs(filter: {fromBlock: "0x0", toBlock: "0xFFFFFFFF"}) }
Updated Security Guide
Good news: Geth's team has been proactive. They've updated their Security Fundamentals, which now covers API security extensively. This guide acknowledges that none of Geth's API endpoints, including legacy JSON-RPC, "beacon" JSON-RPC, and GraphQL, are built to fend off hostile attacks or high traffic volumes.
Action Items
Rate-limiting and query complexity checks are your best defense.
from graphql import GraphQL
from graphql.utilities import get_query_cost
def rate_limit(query):
cost = get_query_cost(query)
if cost > MAX_COST:
return "Query too costly"
Don't let your network be an easy target. Consult Geth’s updated Security Fundamentals to safeguard your API endpoints.
For deeper insights, visit the original research.
Day Job: I use content to grow revenue for companies at Techwriteable.com | Side Hustle: I build & share career-building resources for content marketers. | Techpreneur ??
1 年Rate-limiting and query checks are good steps, but I wonder if there are other robust measures to consider for the long run.