From cc6d183ec46e9d30d14fcde966a23a70aa333bec Mon Sep 17 00:00:00 2001
From: Neil Booth <kyuupichan@gmail.com>
Date: Tue, 29 Nov 2016 22:20:29 +0900
Subject: [PATCH] Prepare 0.7.14

---
 RELEASE-NOTES  | 16 ++++++++++++++++
 docs/ENV-NOTES | 13 +++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 21d8f88..6d18dda 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -1,3 +1,19 @@
+version 0.7.14
+--------------
+
+Improved DoS protection:
+
+- incoming network request buffers - which hold incomplete requests
+  are limited to 150,000 bytes, which I believe is large for genuine
+  clients.  I don't foresee a need to change this so it is hard-coded.
+  If an incoming request (for example, text without a newline) exceeds
+  this limit the connection is dropped and the event logged.
+- RPC connections have high MAX_SEND and incoming buffer limits as these
+  connections are assumed to be trusted.
+- new environment variable BANDWIDTH_LIMIT.  See docs/ENV-NOTES.
+- fixes: LOG_SESSIONS of 0.7.13 wasn't being properly interpreted.
+  Tweak to rocksdb close() that should permit db reopening to work.
+
 version 0.7.13
 --------------
 
diff --git a/docs/ENV-NOTES b/docs/ENV-NOTES
index c18593f..f51004e 100644
--- a/docs/ENV-NOTES
+++ b/docs/ENV-NOTES
@@ -70,6 +70,19 @@ MAX_SUBS         - maximum number of address subscriptions across all
                    sessions.  Defaults to 250,000.
 MAX_SESSION_SUBS - maximum number of address subscriptions permitted to a
                    single session.  Defaults to 50,000.
+BANDWIDTH_LIMIT  - per-session periodic bandwith usage limit in bytes.
+                   Bandwidth usage over each period is totalled, and
+                   when this limit is exceeded each subsequent request
+                   is stalled by sleeping before handling it,
+                   effectively yielding processing resources to other
+                   sessions.  Each time this happens the event is
+                   logged.  The more bandwidth usage exceeds the limit
+                   the longer the next request will sleep.  Each sleep
+                   is a round number of seconds with a minimum of one.
+                   The bandwith usage counter is reset to zero at the
+                   end of each period.  Currently the period is
+                   hard-coded to be one hour.  The default limit value
+                   is 2 million bytes.
 
 If you want IRC connectivity to advertise your node: