Saw this on #bitcoin-dev IRC chat today:
07:59 phantomcircuit jgarzik, i actually have code to ddos the entire network
07:59 phantomcircuit it works
07:59 phantomcircuit but i run out of local port numbers before i get past about 100 peers
If I found a DoS vulnerability I wouldn't brag about it in public-- I'd tell the developers privately.
And isn't testing a DoS on a production network immoral/illegal ?
You cut off the end:
[Thursday, November 15, 2012] [7:59:29 AM] jgarzik, i actually have code to ddos the entire network
[Thursday, November 15, 2012] [7:59:31 AM] it works
[Thursday, November 15, 2012] [7:59:44 AM] but i run out of local port numbers before i get past about 100 peers
[Thursday, November 15, 2012] [7:59:44 AM] um
[Thursday, November 15, 2012] [7:59:45 AM] :(
[Thursday, November 15, 2012] [7:59:55 AM] you can't know it works without having DDoS'd the network -.-
[Thursday, November 15, 2012] [8:00:44 AM] Luke-Jr, well it worked against the roughly dozen bitcoin nodes i run
[Thursday, November 15, 2012] [8:00:52 AM] scale to all connectable peers
In other words, he tested this on his own nodes.
I presume if there was anything we could do to fix it, he'd have mentioned that in private.