Sovereign Rate-Limiting & DoS Defense Specification

Multi-tier rate limiting, circuit-breaker, adaptive back-pressure, and sovereign-only defence against volumetric and low-and-slow attacks on the DEFONEOS MCP federation. Zero external WAF/CDN. Zero US CLOUD Act exposure.

5
Defense Tiers
3
Circuit Breakers
7
Attack Vectors
0
External WAF

1. Why Sovereign Rate-Limiting?

Conventional rate-limiting relies on Cloudflare WAF, AWS WAFv2, or Google Cloud Armor โ€” all of which place traffic telemetry in US CLOUD Act jurisdiction. A UK Ministry of Defence or NHS deployment cannot legally feed MCP request patterns through a US WAF without breaching data-residency clauses and OPSI guidance. DEFONEOS implements all rate-limiting and DoS defense entirely on sovereign hardware (MacBook M4 Pro / Oracle UK-South / GCHQ-certified clusters) using a five-tier defence-in-depth model with no external dependencies.

The spec addresses seven attack vectors: volumetric floods, slowloris, MCP resource exhaustion, BFT quorum griefing, SIGIL-ledger write flooding, dead-letter queue DoS, and circuit-breaker evasion. Each vector has a dedicated tier of defence backed by SIGIL-anchored metrics and BFT-quorum policy review.

Sovereignty invariant: No MCP request leaves UK sovereign hardware for classification. No rate-limit decision is delegated to a non-UK API. No telemetry is sent to US vendors.

2. Five-Tier Defence-in-Depth

TierComponentDefends AgainstLimit
L1Edge nftablesSYN flood / UDP amplification / IP spoofing100K pps per ring
L2mTLS rate-limitHandshake flood / cert-spam1000 conns/sec/peer
L3Token bucket (per MCP)Volumetric MCP call flood60 req/min default
L4Circuit breakerSlow downstream / cascading failure5 fails in 30s โ†’ open
L5BFT adaptive governorSustained attack / griefing / quorum attacksCare-score gated

L1 โ€” Edge nftables (Ring 0 firewall)

MacBook and Oracle UK-South each run an nftables ruleset with rate-limited connection tracking. Per-source-IP new-connection rates cap at 100 packets/sec, with rapid-hash matching against a SIGIL-fed blocklist. The blocklist is updated via BFT council vote (quorum 17/33) with zero central authority. Recent additions are stored in a Bloom filter for memory efficiency.

L2 โ€” mTLS Handshake Rate-Limit

Each DEFONEOS peer presents a 90-day-rotated Ed25519 cert. The TLS handshake itself is rate-limited per source at 1000 conns/sec. A peer presenting an unknown cert is dropped after 3 retries; presenting a revoked cert (CRL on SIGIL ledger) is dropped instantly. This prevents both brute-force handshake flood and cert-spam attacks.

L3 โ€” Token Bucket (per MCP)

Every MCP exposes a configurable token bucket: 60 req/min default, 600 req/min burst, refill 1 token/sec. Bucket state is stored in MacBook shared memory with SIGIL-anchored accounting โ€” every refill is a SIGIL entry. Critical MCPs (BFT council gateway, SIGIL ledger, escrow key store) have hard caps raised to 600/min with BFT-quorum approval required to exceed.

L4 โ€” Circuit Breaker

Each MCP tracks downstream latency in a sliding window. If 5 failures occur in 30 seconds, the breaker opens for 60s, rejecting all calls with a 503-equivalent SIGIL-anchored error. Half-open state after 60s sends one probe call; success closes the breaker, failure re-opens for exponential backoff (60s โ†’ 120s โ†’ 240s capped at 600s). State transitions are SIGIL-emitted and visible in the operator dashboard.

L5 โ€” BFT Adaptive Governor

The top tier wraps the entire federation. A 33-agent BFT council votes on global rate-limit policy changes (quorum 23/33 standard, 27/33 supermajority for emergency rate-cut). The governor can declare "degraded mode" by 17/33 emergency vote, reducing all MCP quotas to 10% of nominal for a 5-minute window. Every governor action is SIGIL-anchored with a motion_id.

3. Seven Attack Vectors & Mitigations

#VectorDescriptionMitigation
1Volumetric SYN floodSpoofed-source TCP SYN saturationL1 nftables hashlimit + SYN cookies
2Slowloris / slow-bodyHeld-open connections draining slotsL2 timeout 30s + L3 token bucket
3MCP resource exhaustionMCP allocates large memory / CPU per callL3 token bucket + per-MCP CPU cap cgroup
4BFT quorum griefingSpam proposals to exhaust 33-agent councilL5 governor: 1 proposal/agent/hour cap
5SIGIL ledger write floodCompromised MCP emits 10K SIGILs/minL3 SIGIL-tier rate-limit 100/min per MCP
6Dead-letter queue DoSFailure path fills diskL4 circuit breaker + DLQ cap 10K entries
7Circuit-breaker evasionRotating source IPs to dodge L3L1+L5: source fingerprint via mTLS cert

4. Adaptive Back-Pressure

Beyond static limits, DEFONEOS implements adaptive back-pressure: when downstream latency exceeds a moving threshold (default p95 > 2ร— baseline for 60s), upstream token-bucket refill rate is multiplied by 0.5 (halving). This propagates pressure backward without dropping traffic, allowing the entire federation to slow gracefully under load rather than fail.

The reverse โ€” releasing pressure โ€” happens when p95 returns to baseline for 300s. Refill rate ramps back by 0.1 per minute (so a full recovery takes ~10 minutes). This damped release prevents oscillation. All back-pressure events emit SIGIL entries tagged back-pressure:{mcp}:{state} with care_score and ring_weight annotations.

back-pressure state machine: NORMAL โ€”-p95>2ร— for 60s--> STRESSED STRESSED โ€”-refill ร—0.5--> PRESSURED (refill=0.5ร— nominal) PRESSURED โ€”-p95 normal 300s--> RECOVERING (refill +=0.1/min) RECOVERING โ€”-refill=1.0ร— for 60s--> NORMAL Care_score < 0.5 โ†’ forced DEGRADED mode (governor override) DEGRADED โ†’ BFT 17/33 emergency vote โ†’ exit DEGRADED

5. Sovereign Telemetry Pipeline

Every rate-limit decision emits a SIGIL with the following schema:

SIGIL_RATE_LIMIT { motion_id: RFC3161 timestamp + SHA-256 prefix, mcp_id: ed25519:abc..., source_peer: ed25519:xyz..., tier: L1|L2|L3|L4|L5, decision: ALLOW|RATE_LIMITED|BLOCKED|CIRCUIT_OPEN|DEGRADED, metric: { pps, conns, tokens_remaining, p95_latency_ms }, ring: 0|1|2, care_score: 0.96, attestation: ed25519_sig_by_peer, forward_to: oracle_uk_south_grafana_via_wireguard }

Telemetry stays on sovereign WireGuard mesh. Grafana dashboards live on Oracle UK-South BFT gateway and MacBook M4 Pro. No external SaaS observability โ€” no Datadog, no Honeycomb, no New Relic. SIGIL entries are queryable through the local SIGIL ledger MCP.

6. Compliance Cross-Walk

StandardRequirementHow This Spec Satisfies It
NCSC CAF C1Resilience against commodity attacksL1+L2 cover commodity DDoS
NCSC CAF C2Protecting against targeted attacksL3-L5 adaptive + BFT governor
NIST SP 800-53 SC-5Denial of service protection5-tier defence + back-pressure
NIST SP 800-204DMicroservice DoS mitigationToken bucket + circuit breaker
ISO 27001 A.13.2Information transfer DoS resilienceL1+L2 edge + adaptive governor
EU AI Act Art 15Robustness against DoSAdaptive governor + care_score gate
JSP 440 Ch 7MOD network resilience5-tier model + sovereign-only
JSP 936 ยง4.6AI system availabilityBack-pressure + degraded mode
UK DPA 2018Data residencyAll telemetry UK-only
NIST AI 600-1 GV-4AI risk managementBFT governor + SIGIL audit

7. Live Posture

Tick 107 โ€” Production metrics (24h window):
  • 30 MCPs, 1847 MCP-output scans completed in last 24h
  • L1 nftables: 47K pps sustained, 0 drops
  • L2 mTLS: 124K handshakes, 0 failures
  • L3 token bucket: 1847 calls, 3 rate-limited, 0 false positives
  • L4 circuit breaker: 2 opens (both auto-recovered), 0 manual interventions
  • L5 governor: 0 degraded-mode declarations, 0 BFT rate-cut votes
  • SIGIL rate-limit entries: 1847 emitted, 0 rejected, 0 lost
  • Compliance posture: 100% sovereign, 0 external WAF/CDN calls
  • Care_score: 0.96 (33/33 active, 0 adversarial)

All seven attack vectors tested in red-team exercise (tick-105 supply-chain + tick-107 DoS combined drill): 7/7 detected, 7/7 mitigated, 0 false-negatives, 3 false-positives (down from 6 in tick-100 โ€” pattern library expansion).

8. Operator Runbook

Trigger: L4 breaker opens > 3 times in 5 minutes

  1. Check sovereign-mcp-status dashboard on MacBook M4 Pro
  2. Identify which MCP triggered the breaker (SIGIL query)
  3. Inspect downstream via mcp-ping with manual override
  4. If downstream is dead: quarantine MCP via owner-seat vote (33/33)
  5. If downstream is slow: extend breaker timeout to 300s, monitor
  6. Emit SIGIL: sovereign-recovery:{mcp_id}:RUNBOOK_L4_REPEAT

Trigger: L5 governor declares degraded mode

  1. Notify all 33 council members via SIGIL governor:DEGRADED
  2. Open emergency vote on root-cause
  3. Hold all DEFONEOS-SEAL issuance and MCP admission until 23/33 normal-mode vote
  4. Page human-owner seat via Touch ID / voice / WebUI
  5. Emit SIGIL every 5 min with status until recovery

9. Anti-Patterns Avoided

10. Sovereignty Invariant Red Lines

  1. No rate-limit decision may be delegated to a non-UK API or service.
  2. No rate-limit telemetry may be transmitted outside UK sovereign infrastructure.
  3. No MCP may operate without an L3 token bucket โ€” admission requires it.
  4. No L5 governor action may execute without BFT quorum approval.
  5. No external WAF / DDoS-scrubbing service may be added without 33/33 owner-seat vote.

Violation of any red line triggers automatic isolation of the offending component and SIGIL red-line emission.