The DAOBet blockchain is based on EOS and implements the DPOS consensus algorithm. DPOS is characterized by the feature that it has a relatively small number of BP (block producer) nodes. This leads to an increase in susceptibility to DDOS attacks, which can lead to partial block loss or network shutdown. To protect your network from attacks, you must build a secure and resilient infrastructure.
The most well-proven practice in the EOS network is the infrastructure built on the principle: "BP nodes for FULL nodes".
We recommend using a similar scheme:
Full nodes are necessary to ensure communication between the external network and the BPs. They are the most vulnerable in this scheme, therefore, we recommend using tools to quickly add new nodes, it is possible to use cloud providers in conjunction with tools for autoscaling.
We recommend using two types of full nodes:
For relay P2P messages. These nodes will be used purely for communication between the BPs and the outside world and will not accept requests from clients via HTTP. In these nodes, we recommend disabling all minor plugins to achieve the best performance, such as
For HTTP requests. The primary goal of these nodes is to provide the RPC API for external clients. Optionally, secondary plugins can be connected to them to expand the standard RPC API and export data from the blockchain to external storage, for example:
history_plugin, etc. It is also possible to use various community plugins.
BP nodes must be deployed in a closed network. This approach allows you to close a number of potential vectors of attacks on the node associated with direct connection with the node. To ensure minimum downtime, we recommend using backup power supplies, best of all in various data centers, as well as software for monitoring and automatic activation of backup power supplies. To activate / deactivate production, we recommend using the pause / resume methods from
We recommend using firewalls and load balancers for full nodes. It is also desirable to use services to protect against DDOS attacks. In the case of P2P, protection at the TCP / IP level is necessary, and in the case of HTTP, it is sufficient to use the HTTP layer. It is better to keep BP nodes in a closed network and implement communications with full nodes using VPN tunnels. For P2P full nodes, only the port for net_plugin should be open, and for HTTP full, only the port for
http_plugin should be open.
Under this scheme, full nodes are used for communicating with external nodes. To ensure maximum network connectivity, add all possible addresses of external nodes to config.ini (parameter: p2p-peer-address). Also, periodically monitor and update the list.