Network_security
Chapter 33: Network Security & DDoS Protection
Section titled “Chapter 33: Network Security & DDoS Protection”Overview
Section titled “Overview”Network security is critical for blockchain nodes to prevent unauthorized access, DDoS attacks, and other malicious activities. This chapter covers comprehensive network protection strategies.
33.1 Network Security Architecture
Section titled “33.1 Network Security Architecture”┌─────────────────────────────────────────────────────────────────────────────┐│ BLOCKCHAIN NODE SECURITY ARCHITECTURE │├─────────────────────────────────────────────────────────────────────────────┤│ ││ Internet ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ FIREWALL / LOAD BALANCER │ ││ │ ┌─────────────────────────────────────────────────────────────┐ │ ││ │ │ - DDoS Protection (Cloudflare, AWS Shield) │ │ ││ │ │ - Rate Limiting │ │ ││ │ │ - IP Whitelisting │ │ ││ │ │ - WAF (Web Application Firewall) │ │ ││ │ └─────────────────────────────────────────────────────────────┘ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ BASTION HOST / VPN │ ││ │ ┌─────────────────────────────────────────────────────────────┐ │ ││ │ │ - SSH Key Authentication Only │ │ ││ │ │ - 2FA/MFA │ │ ││ │ │ - Jump Server │ │ ││ │ └─────────────────────────────────────────────────────────────┘ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ PRIVATE NETWORK (VPC) │ ││ │ │ ││ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ ││ │ │ Validator │ │ RPC Node │ │ Archive │ │ ││ │ │ Node │ │ Node │ │ Node │ │ ││ │ └─────────────┘ └─────────────┘ └─────────────┘ │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘33.2 Firewall Configuration
Section titled “33.2 Firewall Configuration”UFW (Uncomplicated Firewall)
Section titled “UFW (Uncomplicated Firewall)”# Install UFWsudo apt install ufw
# Default policiessudo ufw default deny incomingsudo ufw default allow outgoing
# Allow SSH (with rate limiting)sudo ufw limit 22/tcp comment 'SSH with rate limiting'
# Allow P2P networking (Ethereum)sudo ufw allow 30303/tcp comment 'Ethereum P2P'sudo ufw allow 30303/udp comment 'Ethereum Discovery'
# Allow RPC from specific IP onlysudo ufw allow from 10.0.0.0/8 to any port 8545 proto tcp comment 'RPC from internal'
# Allow Prometheus metrics (optional)sudo ufw allow 9090/tcp comment 'Prometheus'
# Enable firewallsudo ufw enable
# Check statussudo ufw status verboseiptables
Section titled “iptables”# Flush existing rulessudo iptables -Fsudo iptables -X
# Default policiessudo iptables -P INPUT DROPsudo iptables -P FORWARD DROPsudo iptables -P OUTPUT ACCEPT
# Allow loopbacksudo iptables -A INPUT -i lo -j ACCEPTsudo iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connectionssudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (with rate limiting)sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --setsudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
# Allow P2Psudo iptables -A INPUT -p tcp --dport 30303 -j ACCEPTsudo iptables -A INPUT -p udp --dport 30303 -j ACCEPT
# Allow RPC only from specific IPssudo iptables -A INPUT -p tcp --dport 8545 -s 10.0.0.0/8 -j ACCEPT33.3 DDoS Protection
Section titled “33.3 DDoS Protection”Types of DDoS Attacks
Section titled “Types of DDoS Attacks”┌─────────────────────────────────────────────────────────────────┐│ DDoS ATTACK TYPES │├─────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ VOLUMETRIC ATTACKS │ ││ │ - UDP/ICMP flood │ ││ │ - Goal: Exhaust bandwidth │ ││ │ - Mitigation: CDN, DDoS protection service │ ││ └─────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ PROTOCOL ATTACKS │ ││ │ - SYN flood │ ││ │ - Ping of death │ ││ │ - Goal: Exhaust server resources │ ││ │ - Mitigation: SYN cookies, connection limits │ ││ └─────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ APPLICATION LAYER ATTACKS │ ││ │ - HTTP flood │ ││ │ - Slowloris │ ││ │ - Goal: Crash web servers │ ││ │ - Mitigation: Rate limiting, WAF │ ││ └─────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────┘Cloudflare Protection
Section titled “Cloudflare Protection”# Example: Enable Cloudflare for your node# 1. Point your domain NS to Cloudflare# 2. Configure firewall rules in Cloudflare dashboard
# Cloudflare Page Rule example:# Pattern: rpc.yourdomain.com/*# Settings:# - SSL: Full# - Firewall: High# - Cache Level: Cache Everything# - Edge Cache TTL: 1 hourAWS Shield
Section titled “AWS Shield”┌─────────────────────────────────────────────────────────────────┐│ AWS DDoS PROTECTION │├─────────────────────────────────────────────────────────────────┤│ ││ AWS Shield Standard (Free) ││ ━━━━━━━━━━━━━━━━━━━━━━━━ ││ - Always-on protection ││ - Mitigates common DDoS attacks ││ ││ AWS Shield Advanced ($3,000/month) ││ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ││ - 24/7 access to AWS DDoS response team ││ - Protection against sophisticated attacks ││ - DDoS cost protection ││ - Application layer DDoS protection ││ ││ Route 53 + CloudFront ││ ━━━━━━━━━━━━━━━━━━━━━━━ ││ - DNS-level protection ││ - Edge caching reduces attack surface ││ │└─────────────────────────────────────────────────────────────────┘33.4 VPN & Private Networking
Section titled “33.4 VPN & Private Networking”WireGuard VPN Setup
Section titled “WireGuard VPN Setup”# Install WireGuardsudo apt install wireguard
# Generate keyswg genkey | tee privatekey | wg pubkey > publickey
# Server configuration (/etc/wireguard/wg0.conf)[Interface]PrivateKey = <SERVER_PRIVATE_KEY>Address = 10.0.0.1/24ListenPort = 51820PostUp = iptables -A FORWARD -i wg0 -j ACCEPTPostUp = iptables -A FORWARD -o wg0 -j ACCEPTPostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[Peer]PublicKey = <CLIENT_PUBLIC_KEY>AllowedIPs = 10.0.0.2/32
# Client configuration[Interface]PrivateKey = <CLIENT_PRIVATE_KEY>Address = 10.0.0.2/24
[Peer]PublicKey = <SERVER_PUBLIC_KEY>Endpoint = your-server-ip:51820AllowedIPs = 10.0.0.0/24PersistentKeepalive = 25AWS VPC Configuration
Section titled “AWS VPC Configuration”┌─────────────────────────────────────────────────────────────────┐│ VPC SECURITY CONFIG │├─────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ VPC CIDR: 10.0.0.0/16 │ ││ └─────────────────────────────────────────────────────────┘ ││ ││ Subnets: ││ ┌────────────────────┐ ┌────────────────────┐ ││ │ Public Subnet │ │ Private Subnet │ ││ │ 10.0.1.0/24 │ │ 10.0.2.0/24 │ ││ │ - Load Balancer │ │ - Validator Node │ ││ │ - Bastion Host │ │ - RPC Node │ ││ └────────────────────┘ └────────────────────┘ ││ ││ Security Groups: ││ ┌─────────────────────────────────────────────────────────┐ ││ │ Validator SG: │ ││ │ - Inbound: Allow 30303 from VPC │ ││ │ - Outbound: Allow all │ ││ ├─────────────────────────────────────────────────────────┤ ││ │ RPC Node SG: │ ││ │ - Inbound: Allow 8545 from ALB │ ││ │ - Outbound: Allow 30303 to VPC │ ││ ├─────────────────────────────────────────────────────────┤ ││ │ Bastion SG: │ ││ │ - Inbound: Allow 22 from VPN/Home IP │ ││ └─────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────┘33.5 Port Security
Section titled “33.5 Port Security”Essential Ports
Section titled “Essential Ports”| Port | Protocol | Service | Access Level |
|---|---|---|---|
| 22 | TCP | SSH | Bastion/Jump host only |
| 30303 | TCP/UDP | P2P | Public |
| 8545 | TCP | HTTP RPC | Internal only |
| 8546 | TCP | WS RPC | Internal only |
| 9090 | TCP | Prometheus | Internal only |
| 26656 | TCP | Tendermint P2P | Public |
Port Scanning Detection
Section titled “Port Scanning Detection”# Install fail2bansudo apt install fail2ban
# Configure fail2ban for SSHsudo cat > /etc/fail2ban/jail.local << EOF[sshd]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 3bantime = 3600findtime = 600EOF
# Enable and startsudo systemctl enable fail2bansudo systemctl start fail2ban33.6 Intrusion Detection
Section titled “33.6 Intrusion Detection”OSSEC Installation
Section titled “OSSEC Installation”# Install OSSECwget -q https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gztar -xzf 3.6.0.tar.gzcd ossec-hids-3.6.0./install.sh
# Configure active responsesudo cat >> /var/ossec/etc/ossec.conf << EOF<active-response> <command>host-deny</command> <location>local</location> <rules_id>100100</rules_id></active-response>EOFMonitoring with Wazuh
Section titled “Monitoring with Wazuh”┌─────────────────────────────────────────────────────────────────┐│ SECURITY MONITORING STACK │├─────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────┐ ││ │ WAZUH DASHBOARD │ ││ │ - Security alerts visualization │ ││ │ - Compliance reporting │ ││ │ - Threat intelligence │ ││ └─────────────────────────────────────────────────────────┘ ││ │ ││ ┌───────────────┼───────────────┐ ││ ▼ ▼ ▼ ││ ┌─────────────────┐ ┌─────────────────┐ ┌────────────────┐││ │ WAZUH MANAGER │ │ WAZUH AGENT │ │ WAZUH AGENT │││ │ (Central) │ │ (Validator) │ │ (RPC Node) │││ └─────────────────┘ └─────────────────┘ └────────────────┘││ │└─────────────────────────────────────────────────────────────────┘33.7 Network Segmentation
Section titled “33.7 Network Segmentation”┌─────────────────────────────────────────────────────────────────┐│ NETWORK SEGMENTATION │├─────────────────────────────────────────────────────────────────┤│ ││ DMZ (Public Facing) ││ ┌─────────────────────────────────────────────────────────┐ ││ │ - Load Balancer │ ││ │ - WAF │ ││ │ - Reverse Proxy (Nginx) │ ││ └─────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ Application Layer (Semi-Private) ││ ┌─────────────────────────────────────────────────────────┐ ││ │ - RPC Nodes (read-only) │ ││ │ - Monitoring Services │ ││ └─────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ Core Layer (Private) ││ ┌─────────────────────────────────────────────────────────┐ ││ │ - Validator Nodes │ ││ │ - Archive Nodes │ ││ │ - Database Servers │ ││ └─────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────┘33.8 Interview Questions
Section titled “33.8 Interview Questions”| Question | Answer |
|---|---|
| How do you protect against DDoS? | CDN, rate limiting, DDoS protection service, firewall rules |
| What is network segmentation? | Dividing network into isolated segments for better security |
| Why use VPN for node access? | Encrypts traffic, hides node IP, prevents direct attacks |
| What is a bastion host? | Hardened server for secure admin access to private network |
| How do you secure P2P ports? | Allow public access for P2P, restrict RPC to internal IPs |
Summary
Section titled “Summary”- Implement firewall rules to restrict access
- Use DDoS protection services (Cloudflare, AWS Shield)
- Set up VPN or bastion host for admin access
- Use network segmentation for defense in depth
- Deploy intrusion detection systems
- Monitor network traffic for anomalies
Next Chapter
Section titled “Next Chapter”In Chapter 34: TLS/SSL Security, we’ll explore encryption for node communications.
Last Updated: 2026-02-20