Rate Limiting & Spam Prevention
Comprehensive documentation of rate limiting mechanisms, spam prevention strategies, and abuse mitigation in the Zentalk decentralized messaging protocol.
Overview
Rate limiting in a decentralized system presents unique challenges compared to traditional centralized architectures. Without a single authority to enforce limits, Zentalk employs a distributed approach combining client-side enforcement, relay node cooperation, and cryptographic proof mechanisms.
Why Rate Limiting in a Decentralized System
| Challenge | Centralized Solution | Zentalk Approach |
|---|---|---|
| Spam prevention | Single enforcement point | Distributed relay consensus |
| Resource protection | Server-side limits | Client + relay coordination |
| Fair usage | Per-user quotas | Reputation-weighted limits |
| DDoS mitigation | Load balancers, CDN | 3-hop relay, PoW challenges |
| Abuse detection | Content analysis | Behavioral patterns only |
Balance Between Usability and Abuse Prevention
Rate limits must be calibrated to allow legitimate high-volume usage while preventing abuse. Zentalk optimizes for the following user profiles:
| User Profile | Expected Usage | Limit Headroom |
|---|---|---|
| Casual user | 50 messages/day | 10x buffer |
| Active user | 500 messages/day | 5x buffer |
| Power user | 2000 messages/day | 2x buffer |
| Group admin | 5000 messages/day | 1.5x buffer |
Design Principles
| Principle | Implementation |
|---|---|
| Privacy-preserving | No content inspection, rate-based only |
| Graduated response | Warnings before restrictions |
| Transparent limits | Users informed of current usage |
| Appealable | Automated restrictions can be reviewed |
| Distributed enforcement | No single point of control |
Distributed Enforcement Challenges
Distributed Rate Limiting Architecture:
┌─────────────────────────────────────────────────────────────────┐
│ User Device │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Local Rate Limiter │ │
│ │ - First line of defense │ │
│ │ - Prevents unnecessary network requests │ │
│ │ - Maintains local usage counters │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Relay Network │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Relay Node │ │ Relay Node │ │ Relay Node │ │
│ │ - Per-user │ │ - Per-user │ │ - Per-user │ │
│ │ tracking │ │ tracking │ │ tracking │ │
│ │ - Gossip │ │ - Gossip │ │ - Gossip │ │
│ │ protocol │ │ protocol │ │ protocol │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ ↕ ↕ ↕ │
│ Rate limit state synchronization via gossip │
└─────────────────────────────────────────────────────────────────┘Message Rate Limits
Message rate limits form the primary defense against spam and network abuse.
Standard Rate Limits
| Context | Limit | Window | Burst Allowance |
|---|---|---|---|
| 1:1 messages | 60 | Per minute | +20 burst |
| 1:1 messages | 500 | Per hour | +100 burst |
| Group messages | 30 | Per minute | +10 burst |
| Group messages | 300 | Per hour | +50 burst |
| Broadcast messages | 10 | Per minute | None |
| System messages | 100 | Per minute | None |
Burst Allowance Mechanism
Burst allowance permits temporary spikes in activity while maintaining long-term averages.
Token Bucket Algorithm:
Parameters:
bucket_capacity = base_limit + burst_allowance
refill_rate = base_limit / window_seconds
tokens = bucket_capacity (initial)
On message send:
if tokens ≥ 1:
tokens = tokens - 1
allow_message()
else:
reject_message(RATE_LIMITED)
Every second:
tokens = min(tokens + refill_rate, bucket_capacity)
Example (1:1 messaging):
bucket_capacity = 60 + 20 = 80 tokens
refill_rate = 60 / 60 = 1 token/second
User can send 80 messages instantly (burst)
Then must wait for token refill
Sustained rate: 1 message/second maximumRate Limit Tiers
| Account Type | 1:1 Multiplier | Group Multiplier | Notes |
|---|---|---|---|
| New account (less than 7 days) | 0.5x | 0.3x | Reduced limits during probation |
| Standard account | 1.0x | 1.0x | Base limits |
| Verified account | 1.5x | 1.2x | Phone or identity verified |
| Trusted account | 2.0x | 1.5x | Long history, no violations |
| Premium account | 3.0x | 2.0x | Subscription tier |
Different Limits for 1:1 vs Group
| Aspect | 1:1 Chat | Group Chat | Rationale |
|---|---|---|---|
| Base rate | Higher | Lower | Groups amplify impact |
| Burst allowance | Larger | Smaller | Conversations are bursty |
| Cooldown on violation | 5 minutes | 15 minutes | Groups affect more users |
| Reputation impact | Low | High | Spam in groups is worse |
Message Size Limits
| Message Type | Max Size | Rate Impact |
|---|---|---|
| Text only | 16 KB | 1x rate cost |
| With attachment reference | 32 KB | 1x rate cost |
| Rich content (formatting) | 64 KB | 2x rate cost |
| Large payload | 256 KB | 4x rate cost |
Rate Limit Response Codes
| Code | Name | Meaning | Retry After |
|---|---|---|---|
| RL_001 | SOFT_LIMIT | Approaching limit, warning | Immediate (with warning) |
| RL_002 | RATE_LIMITED | Limit exceeded | See Retry-After header |
| RL_003 | BURST_EXHAUSTED | Burst allowance depleted | 1-5 seconds |
| RL_004 | HOURLY_EXCEEDED | Hour limit reached | See Retry-After header |
| RL_005 | DAILY_EXCEEDED | Daily limit reached | Until next day (UTC) |
| RL_006 | TEMP_BANNED | Repeated violations | 1-24 hours |
Connection Rate Limits
Connection-level limits prevent resource exhaustion attacks and ensure fair access to relay infrastructure.
WebSocket Connection Limits
| Limit Type | Value | Scope | Notes |
|---|---|---|---|
| Max concurrent connections | 5 | Per user identity | Across all devices |
| Max connections per IP | 10 | Per IP address | Prevents IP-based abuse |
| Max connections per device | 2 | Per device ID | Primary + backup |
| Connection lifetime | 24 hours | Per connection | Must reconnect daily |
Connection Establishment Limits
| Operation | Limit | Window | Cooldown on Exceed |
|---|---|---|---|
| New connection attempts | 10 | Per minute | 60 seconds |
| TLS handshakes | 20 | Per minute | 30 seconds |
| Authentication attempts | 5 | Per minute | 120 seconds |
| Failed auth attempts | 3 | Per 5 minutes | 300 seconds |
Reconnection Throttling
Reconnection Backoff Strategy:
On disconnect:
attempt = 0
Reconnection loop:
while not connected:
delay = calculate_delay(attempt)
wait(delay)
result = attempt_connection()
if result == SUCCESS:
break
else if result == RATE_LIMITED:
wait(retry_after_header)
else:
attempt = attempt + 1
calculate_delay(attempt):
base = 1 second
max_delay = 300 seconds // 5 minutes
// Exponential backoff with jitter
delay = min(base * (2 ^ attempt), max_delay)
jitter = random(0, delay * 0.2)
return delay + jitter
Attempt Schedule:
1: 1-1.2 seconds
2: 2-2.4 seconds
3: 4-4.8 seconds
4: 8-9.6 seconds
5: 16-19.2 seconds
6: 32-38.4 seconds
7: 64-76.8 seconds
8: 128-153.6 seconds
9+: 300-360 secondsIP-Based Limits
| Limit | Value | Purpose |
|---|---|---|
| Connections per IP | 10 | Prevent single-IP floods |
| New users per IP per day | 5 | Limit bot account creation |
| Requests per IP per second | 100 | DDoS mitigation |
| Bandwidth per IP | 10 MB/s | Resource fairness |
Geographic Distribution Requirements
| Requirement | Threshold | Action on Violation |
|---|---|---|
| Unique IPs per user | Max 20 per day | Flag for review |
| Geographic spread | Max 5 countries per hour | Require verification |
| VPN/Tor detection | Allowed but limited | 0.5x rate limits |
| Data center IP detection | Flagged | 0.3x rate limits |
Key Operation Limits
Cryptographic key operations are computationally expensive and require strict rate limiting to prevent abuse.
Prekey Upload Limits
| Operation | Limit | Window | Notes |
|---|---|---|---|
| One-time prekey upload | 100 keys | Per batch | Max batch size |
| Prekey batch uploads | 10 | Per hour | Prevents key flooding |
| Total prekeys stored | 1000 | Per user | Server-side limit |
| Signed prekey rotation | 1 | Per 7 days | Minimum rotation period |
Prekey Replenishment Strategy
Prekey Management:
Server-side storage:
min_prekeys = 20
max_prekeys = 1000
warning_threshold = 50
On prekey request (by peer):
prekey = pop_one_time_prekey(user_id)
remaining = count_prekeys(user_id)
if remaining ≤ warning_threshold:
notify_client(PREKEY_LOW, remaining)
return prekey
Client replenishment:
on PREKEY_LOW notification:
current = get_prekey_count()
to_generate = max_prekeys - current
// Generate in batches to avoid blocking
for batch in chunks(to_generate, 100):
keys = generate_prekeys(batch)
upload_prekeys(keys)
wait(1 second) // Rate limit complianceSession Creation Limits
| Limit Type | Value | Window | Purpose |
|---|---|---|---|
| New sessions initiated | 50 | Per hour | Prevent session spam |
| Sessions with same peer | 3 | Per hour | Prevent reset attacks |
| Total active sessions | 500 | Per user | Resource limits |
| Session creation burst | 10 | Per minute | Allow contact sync |
Identity Registration Limits
| Operation | Limit | Window | Cooldown |
|---|---|---|---|
| Identity key registration | 1 | Per year | N/A |
| Identity key update | 1 | Per 30 days | 30 days |
| Device registration | 5 | Per day | 24 hours |
| Device deregistration | 10 | Per day | None |
| Recovery key setup | 3 | Per year | 120 days |
Key Bundle Fetch Limits
| Operation | Limit | Window | Notes |
|---|---|---|---|
| Key bundle fetches | 100 | Per minute | For new sessions |
| Same user bundle fetch | 5 | Per minute | Prevent enumeration |
| Bulk bundle fetch | 50 | Per request | For contact import |
| Failed bundle fetches | 20 | Per minute | Invalid addresses |
Group Chat Limits
Group chats require additional limits due to message amplification effects.
Maximum Group Size
| Group Type | Max Members | Message Rate | Notes |
|---|---|---|---|
| Standard group | 256 | 300/hour | Default limit |
| Large group | 1,024 | 600/hour | Requires verification |
| Broadcast channel | 10,000 | 100/hour | Admin-only posting |
| Community | 50,000 | 50/hour | Hierarchical moderation |
Message Rate Per Group
| Group Size | Messages/Minute | Messages/Hour | Per-Member Rate |
|---|---|---|---|
| 2-10 members | 60 | 500 | 6/min per member |
| 11-50 members | 120 | 800 | 2.4/min per member |
| 51-100 members | 180 | 1000 | 1.8/min per member |
| 101-256 members | 240 | 1200 | 0.9/min per member |
| 257+ members | 300 | 1500 | Diminishing per member |
Member Management Limits
| Operation | Limit | Window | Notes |
|---|---|---|---|
| Add members | 50 | Per hour | Bulk adds throttled |
| Remove members | 50 | Per hour | Mass removal limited |
| Admin promotions | 10 | Per day | Prevent admin churn |
| Admin demotions | 10 | Per day | Stability measure |
| Invite link generation | 5 | Per hour | Prevent link spam |
Group Creation Limits
| Account Type | Groups/Day | Groups/Week | Total Groups |
|---|---|---|---|
| New account | 1 | 3 | 10 |
| Standard account | 5 | 20 | 50 |
| Verified account | 10 | 50 | 100 |
| Trusted account | 20 | 100 | 250 |
Group Metadata Update Limits
| Operation | Limit | Window | Cooldown |
|---|---|---|---|
| Name change | 3 | Per day | 8 hours |
| Description change | 5 | Per day | 4 hours |
| Avatar change | 3 | Per day | 8 hours |
| Settings change | 10 | Per hour | None |
Anti-Raid Protections
Raid Detection Algorithm:
Parameters:
join_rate_threshold = 10 members/minute
message_rate_threshold = 5x normal
new_member_message_threshold = 3 messages/minute
Monitoring:
track join_rate over 5-minute window
track message_rate over 1-minute window
track new_member_activity over 10-minute window
On threshold exceeded:
activate_raid_mode():
- Slow mode: 1 message per 30 seconds
- New member mute: 10-minute wait before posting
- Join rate limit: 2 members/minute
- Notify admins
duration = 30 minutes
auto_deactivate after duration if metrics normalize
Raid Mode Restrictions:
┌────────────────────────────────────────────────┐
│ Normal Mode │ Raid Mode │
├────────────────────────────────────────────────┤
│ 60 msg/min │ 2 msg/min per user │
│ Instant join │ 2 joins/min max │
│ Immediate posting │ 10-min new member mute │
│ Unlimited reactions │ 5 reactions/min │
└────────────────────────────────────────────────┘Spam Detection
Zentalk employs content-agnostic spam detection to preserve privacy while preventing abuse.
Content-Agnostic Detection (Rate-Based)
| Signal | Threshold | Weight | Notes |
|---|---|---|---|
| Messages per minute | More than 30 | High | Primary indicator |
| Unique recipients per hour | More than 50 | High | Broadcast behavior |
| Session creation rate | More than 20/hour | Medium | Contact spam |
| Failed deliveries | More than 20% | Medium | Invalid targets |
| Identical message timing | Less than 100ms variance | High | Bot behavior |
Behavioral Pattern Analysis
Spam Behavior Patterns:
Pattern: Mass Messaging
Indicators:
- Messages to more than 20 unique users in 5 minutes
- Less than 1 second between messages
- No replies received
Action: Temporary rate reduction (0.25x)
Pattern: Group Hopping
Indicators:
- Joins more than 5 groups in 1 hour
- Sends messages immediately after joining
- Leaves within 10 minutes
Action: Group join cooldown (24 hours)
Pattern: Contact Harvesting
Indicators:
- More than 100 key bundle fetches in 1 hour
- Low message-to-fetch ratio (less than 0.1)
- Sequential address queries
Action: Key bundle rate limit (10/hour)
Pattern: Bot Behavior
Indicators:
- Consistent message timing (low variance)
- No typing indicators
- 24/7 activity pattern
- No read receipts sent
Action: Flag for review, CAPTCHA challengeDetection Without Content Scanning
| What We Analyze | What We Never Analyze |
|---|---|
| Message frequency | Message content |
| Recipient patterns | Encryption payloads |
| Timing signatures | User conversations |
| Metadata anomalies | Attachment contents |
| Network behavior | Search queries |
| Session patterns | Contact names |
Privacy-Preserving Detection Techniques
| Technique | Privacy Guarantee | Detection Capability |
|---|---|---|
| Local rate counting | No server visibility | High for volume abuse |
| Bloom filter matching | Probabilistic only | Medium for patterns |
| Differential privacy | Mathematical guarantee | Low false positives |
| Federated detection | No central database | Cross-node patterns |
Spam Score Calculation
Spam Score Algorithm:
score = 0
// Rate-based factors
if messages_per_minute > 30:
score += (messages_per_minute - 30) * 2
if unique_recipients_per_hour > 50:
score += (unique_recipients_per_hour - 50) * 1.5
// Behavioral factors
if avg_time_between_messages < 1 second:
score += 20
if reply_rate < 0.05: // less than 5% get replies
score += 15
if session_creation_rate > 20:
score += 10
// Account factors
if account_age < 7 days:
score *= 1.5
if has_violations_history:
score *= 2.0
// Threshold evaluation
if score ≥ 100:
action = TEMPORARY_BAN
else if score ≥ 50:
action = RATE_LIMIT_REDUCTION
else if score ≥ 25:
action = WARNING
else:
action = NONEProof of Work (Optional)
Proof of Work (PoW) provides a computational cost barrier for high-volume senders, making spam economically unfeasible.
Hashcash-Style PoW for High-Volume Senders
| Trigger | PoW Requirement | Difficulty |
|---|---|---|
| Normal usage | None | N/A |
| Rate limit warning | Optional for faster sending | Easy (16-bit) |
| Rate limit exceeded | Required for each message | Medium (20-bit) |
| Spam score elevated | Required with higher difficulty | Hard (24-bit) |
| Previous violations | Always required | Variable |
PoW Challenge-Response Protocol
PoW Protocol Flow:
1. Client exceeds rate limit
2. Server responds:
{
challenge: random_256_bit_nonce,
difficulty: target_leading_zeros,
algorithm: "sha256",
expires: timestamp + 60 seconds
}
3. Client computes:
nonce = 0
while true:
hash = SHA256(challenge || message_hash || nonce)
if leading_zeros(hash) ≥ difficulty:
break
nonce = nonce + 1
4. Client sends message with proof:
{
message: encrypted_payload,
pow_proof: {
challenge: original_challenge,
nonce: computed_nonce,
hash: resulting_hash
}
}
5. Server verifies:
- Challenge is valid and not expired
- Hash meets difficulty requirement
- Challenge not previously used (prevent replay)Difficulty Adjustment
| Factor | Effect on Difficulty | Range |
|---|---|---|
| Current spam level | +2 bits per 10% increase | 16-28 bits |
| User reputation | -4 bits for trusted | 12-24 bits |
| Time of day (load) | +2 bits during peak | Variable |
| Recent PoW solves | -1 bit per 10 valid solves | Minimum 12 bits |
Difficulty Computation Examples
| Difficulty | Expected Iterations | Time (modern CPU) | Time (mobile) |
|---|---|---|---|
| 16 bits | 65,536 | ~1 ms | ~10 ms |
| 20 bits | 1,048,576 | ~15 ms | ~150 ms |
| 24 bits | 16,777,216 | ~250 ms | ~2.5 s |
| 28 bits | 268,435,456 | ~4 s | ~40 s |
When PoW is Required
PoW Decision Matrix:
│ Good Reputation │ Neutral │ Poor Reputation
────────────────────────┼─────────────────┼─────────┼─────────────────
Under rate limit │ Never │ Never │ Optional
At rate limit │ Never │ Optional│ Required (easy)
Exceeded rate limit │ Optional │ Required│ Required (medium)
Spam score elevated │ Required (easy) │ Required│ Required (hard)
Previous ban │ Required │ Required│ Required (very hard)
PoW Bypass Conditions:
- Emergency messages (predefined contacts)
- Account verification completed
- Premium subscription active
- Message to existing conversation (recent activity)PoW Economics
| Spam Volume | PoW Cost (electricity) | Spam Viability |
|---|---|---|
| 1,000/day | ~$0.01 | Viable |
| 10,000/day | ~$0.10 | Marginally viable |
| 100,000/day | ~$1.00 | Not viable |
| 1,000,000/day | ~$10.00 | Economically prohibitive |
Reputation System
Zentalk’s reputation system provides graduated trust levels based on account history and behavior.
Account Age Factor
| Account Age | Reputation Multiplier | Rate Limit Multiplier |
|---|---|---|
| 0-24 hours | 0.5x | 0.3x |
| 1-7 days | 0.7x | 0.5x |
| 7-30 days | 0.85x | 0.75x |
| 30-90 days | 1.0x | 1.0x |
| 90-365 days | 1.1x | 1.25x |
| More than 1 year | 1.25x | 1.5x |
Verified Contacts Boost
| Verified Contacts | Reputation Boost | Notes |
|---|---|---|
| 0 | None | New user |
| 1-5 | +5% | Beginning network |
| 6-20 | +10% | Growing network |
| 21-50 | +15% | Established user |
| 51-100 | +20% | Active user |
| More than 100 | +25% | Power user (capped) |
Reputation Score Components
Reputation Calculation:
base_score = 50 // Starting reputation
// Positive factors
age_bonus = min(account_age_days / 365 * 20, 20)
contact_bonus = min(verified_contacts * 0.25, 25)
activity_bonus = calculate_activity_score() // 0-10
verification_bonus = (phone_verified ? 5 : 0) + (email_verified ? 5 : 0)
// Negative factors
violation_penalty = violations_count * 10
spam_penalty = spam_reports_received * 5
rate_limit_penalty = rate_limit_hits_30d * 0.5
// Final calculation
reputation = base_score
+ age_bonus
+ contact_bonus
+ activity_bonus
+ verification_bonus
- violation_penalty
- spam_penalty
- rate_limit_penalty
reputation = clamp(reputation, 0, 100)
Reputation Tiers:
0-20: Restricted (0.5x limits)
21-40: Limited (0.75x limits)
41-60: Standard (1.0x limits)
61-80: Trusted (1.25x limits)
81-100: Highly Trusted (1.5x limits)Penalty for Violations
| Violation Type | Reputation Impact | Duration |
|---|---|---|
| Rate limit exceeded (first) | -2 points | 7 days |
| Rate limit exceeded (repeat) | -5 points | 14 days |
| Spam report received | -5 points | 30 days |
| Multiple spam reports | -15 points | 90 days |
| Temporary ban | -20 points | 180 days |
| Terms violation | -30 points | 365 days |
| Permanent ban appealed | -50 points | Permanent |
Reputation Recovery
| Recovery Action | Points Recovered | Timeframe |
|---|---|---|
| No violations | +1 point | Per week |
| Active legitimate usage | +0.5 points | Per week |
| Successful verification | +5 points | One-time |
| Successful appeal | +10 points | Per appeal |
| Community contribution | +2 points | Per action |
Cross-Device Reputation
Multi-Device Reputation Sync:
Primary device holds authoritative reputation
│
├── Device 1 (primary)
│ reputation = 75
│ last_sync = now
│
├── Device 2 (secondary)
│ reputation = derived from primary
│ deviation_allowance = ±5 points
│
└── Device 3 (secondary)
reputation = derived from primary
deviation_allowance = ±5 points
On violation on any device:
- Penalty applied to primary reputation
- Synced to all devices within 1 hour
- Device-specific rate limits may vary
On positive action:
- Bonus applied to primary reputation
- Synced on next heartbeatAbuse Response
Zentalk implements a graduated response system for handling abuse.
Temporary Throttling
| Offense Level | Throttle Duration | Rate Reduction | Message to User |
|---|---|---|---|
| First warning | 5 minutes | 50% | “Slow down” |
| Second warning | 30 minutes | 75% | “Rate limited” |
| Third warning | 2 hours | 90% | “Significant restriction” |
| Continued abuse | 24 hours | 95% | “Temporary restriction” |
Throttling Response Headers
| Header | Description | Example |
|---|---|---|
| X-RateLimit-Limit | Maximum requests allowed | 60 |
| X-RateLimit-Remaining | Requests remaining | 0 |
| X-RateLimit-Reset | Unix timestamp for reset | 1704067200 |
| Retry-After | Seconds until retry allowed | 300 |
| X-RateLimit-Reason | Human-readable reason | ”hourly_limit_exceeded” |
Account Suspension Levels
| Level | Duration | Trigger | Restrictions |
|---|---|---|---|
| Warning | None | First minor offense | None (notification only) |
| Level 1 | 1 hour | Repeated minor offenses | Send only to contacts |
| Level 2 | 24 hours | Moderate offense | No group messages |
| Level 3 | 7 days | Serious offense | Read-only mode |
| Level 4 | 30 days | Severe offense | Full suspension |
| Permanent | Indefinite | Extreme violation | Account terminated |
Suspension Actions by Level
Suspension Level Actions:
Level 1 (1 hour):
- Can receive messages
- Can send to existing contacts only
- Cannot create new sessions
- Cannot join groups
Level 2 (24 hours):
- Can receive messages
- Can send 1:1 only (10/hour max)
- Cannot send to groups
- Cannot create groups
Level 3 (7 days):
- Can receive messages
- Cannot send any messages
- Can read group messages
- Cannot interact
Level 4 (30 days):
- Cannot send or receive
- Account appears offline
- Messages queued for 7 days then dropped
- Must re-verify to restore
Permanent:
- Identity key blacklisted
- Cannot register new identity
- All data purged after 30 daysAppeal Process
| Step | Action | Timeframe |
|---|---|---|
| 1 | User submits appeal | Anytime |
| 2 | Automated review | Within 1 hour |
| 3 | Human review (if needed) | Within 48 hours |
| 4 | Decision communicated | Within 72 hours |
| 5 | Escalation (if disputed) | Within 7 days |
Appeal Request Format
Appeal Submission:
POST /api/v1/appeal
{
"user_id": "0x1234...5678",
"suspension_id": "susp_abc123",
"appeal_type": "wrongful_suspension",
"description": "User-provided explanation",
"evidence": [
// Optional supporting information
],
"contact_email": "user@example.com"
}
Response:
{
"appeal_id": "appeal_xyz789",
"status": "received",
"estimated_review": "2024-01-20T00:00:00Z",
"tracking_url": "https://zentalk.io/appeal/xyz789"
}Automated vs Human Review
| Criteria | Automated Review | Human Review |
|---|---|---|
| Clear-cut rate limit | Yes | No |
| First offense | Yes | No |
| Pattern-based detection | Yes | Optional |
| User-reported spam | No | Yes |
| Appeal submitted | Initial | Final decision |
| Legal/safety issues | No | Always |
DDoS Protection
Distributed Denial of Service protection operates at multiple layers of the Zentalk network.
Relay Node Protection
| Protection Layer | Mechanism | Capacity |
|---|---|---|
| Network level | Traffic rate limiting | 10 Gbps |
| Transport level | SYN flood protection | 1M SYN/s |
| Application level | Request rate limiting | 100K req/s |
| Protocol level | Invalid packet filtering | Unlimited |
Relay Node Defense Mechanisms
Multi-Layer DDoS Defense:
Layer 1: Network Edge
├── BGP Flowspec rules
├── IP reputation filtering
├── Geographic restrictions (optional)
└── Anycast distribution
Layer 2: Load Balancer
├── Connection rate limiting
├── SSL/TLS termination
├── Request inspection
└── Backend health monitoring
Layer 3: Application
├── Per-user rate limiting
├── Authentication verification
├── Request validation
└── Circuit breaker patterns
Layer 4: Protocol
├── Message format validation
├── Sequence number checking
├── Replay attack prevention
└── Resource exhaustion limitsDHT Flooding Prevention
| Attack Type | Detection | Mitigation |
|---|---|---|
| Sybil attack | Node ID clustering | Proof of work for node ID |
| Eclipse attack | Routing table analysis | Multiple bootstrap nodes |
| Index poisoning | Value verification | Signed records only |
| Lookup flooding | Query rate monitoring | Per-node query limits |
DHT Protection Parameters
| Parameter | Value | Purpose |
|---|---|---|
| Queries per node per second | 10 | Prevent query floods |
| Responses per query | 8 | Limit amplification |
| Node ID difficulty | 16 bits | Sybil resistance |
| Routing table size | 160 buckets, 20 nodes each | Limit memory |
| Value storage per node | 10,000 records | Prevent storage abuse |
Circuit Creation Limits
| Limit | Value | Purpose |
|---|---|---|
| Circuits per user | 10 concurrent | Resource fairness |
| Circuit creation rate | 5 per minute | Prevent relay exhaustion |
| Circuit lifetime | 10 minutes | Resource recycling |
| Failed circuit penalty | +30s cooldown | Prevent probing |
Circuit Creation Protocol
Circuit Creation Rate Limiting:
Client-side:
circuit_tokens = 5 // Replenish 1 per 12 seconds
create_circuit():
if circuit_tokens ≤ 0:
wait_for_token()
circuit_tokens -= 1
result = attempt_circuit_creation()
if result == FAILED:
circuit_tokens -= 0.5 // Extra penalty
return result
Relay-side:
per_client_circuits = {} // Track per client
on_create_request(client_id):
count = per_client_circuits[client_id]
if count ≥ MAX_CIRCUITS_PER_CLIENT:
return REJECT_LIMIT_EXCEEDED
if creation_rate(client_id) > MAX_RATE:
return REJECT_RATE_LIMITED
// Process creation
per_client_circuits[client_id] += 1
return create_circuit()Attack Response Escalation
| Threat Level | Detection Trigger | Response |
|---|---|---|
| Normal | Baseline traffic | Standard limits |
| Elevated | 2x normal traffic | 0.75x rate limits |
| High | 5x normal traffic | 0.5x rate limits, PoW required |
| Severe | 10x normal traffic | Emergency mode, whitelist only |
| Critical | Infrastructure at risk | Temporary shutdown, escalation |
Emergency Mode Behavior
Emergency Mode Activation:
Triggers:
- CPU usage > 90% sustained for 5 minutes
- Memory usage > 95%
- Network saturation > 90%
- Request queue depth > 10,000
Actions:
1. Enable strict rate limiting (0.1x normal)
2. Require PoW for all requests
3. Whitelist known-good clients
4. Drop all unauthenticated connections
5. Alert operations team
6. Begin traffic analysis for attack signature
Recovery:
- Metrics must be normal for 15 minutes
- Gradual limit restoration (25% increments)
- Full restoration after 1 hour stableImplementation Guidelines
Client Implementation Checklist
| Component | Requirement | Priority |
|---|---|---|
| Local rate limiter | Token bucket implementation | Required |
| Retry logic | Exponential backoff with jitter | Required |
| Offline queue | Persist messages during rate limit | Required |
| PoW solver | SHA256 hashcash implementation | Required |
| Rate display | Show remaining quota to user | Recommended |
| Graceful degradation | Function during restrictions | Required |
Server Implementation Checklist
| Component | Requirement | Priority |
|---|---|---|
| Distributed counter | Redis/similar for rate tracking | Required |
| Sliding window | Accurate rate calculation | Required |
| Reputation store | Persistent user reputation | Required |
| PoW validator | Challenge generation and verification | Required |
| Metrics collection | Rate limit hit tracking | Required |
| Alert system | Anomaly detection and notification | Recommended |
Testing Rate Limits
Rate Limit Testing Strategy:
Unit Tests:
- Token bucket refill accuracy
- Burst allowance consumption
- PoW difficulty calculation
- Reputation score computation
Integration Tests:
- End-to-end rate limit enforcement
- Multi-device rate aggregation
- Distributed counter consistency
- Recovery after rate limit
Load Tests:
- Sustained rate at limit boundary
- Burst behavior validation
- PoW solver performance
- System behavior under attack simulation
Test Scenarios:
1. Normal user behavior (should never hit limits)
2. Power user behavior (occasional soft limits)
3. Spam simulation (should be blocked quickly)
4. DDoS simulation (should trigger emergency mode)Related Documentation
- Error Handling - Error codes and recovery procedures
- Protocol Specification - Message protocol details
- Wire Protocol - Network message formats
- DHT & Kademlia - Distributed hash table implementation
- Onion Routing - Circuit creation and management
- Threat Model - Security considerations
Last updated on