Multi-tier rate limiting, circuit-breaker, adaptive back-pressure, and sovereign-only defence against volumetric and low-and-slow attacks on the DEFONEOS MCP federation. Zero external WAF/CDN. Zero US CLOUD Act exposure.
Conventional rate-limiting relies on Cloudflare WAF, AWS WAFv2, or Google Cloud Armor โ all of which place traffic telemetry in US CLOUD Act jurisdiction. A UK Ministry of Defence or NHS deployment cannot legally feed MCP request patterns through a US WAF without breaching data-residency clauses and OPSI guidance. DEFONEOS implements all rate-limiting and DoS defense entirely on sovereign hardware (MacBook M4 Pro / Oracle UK-South / GCHQ-certified clusters) using a five-tier defence-in-depth model with no external dependencies.
The spec addresses seven attack vectors: volumetric floods, slowloris, MCP resource exhaustion, BFT quorum griefing, SIGIL-ledger write flooding, dead-letter queue DoS, and circuit-breaker evasion. Each vector has a dedicated tier of defence backed by SIGIL-anchored metrics and BFT-quorum policy review.
| Tier | Component | Defends Against | Limit |
|---|---|---|---|
| L1 | Edge nftables | SYN flood / UDP amplification / IP spoofing | 100K pps per ring |
| L2 | mTLS rate-limit | Handshake flood / cert-spam | 1000 conns/sec/peer |
| L3 | Token bucket (per MCP) | Volumetric MCP call flood | 60 req/min default |
| L4 | Circuit breaker | Slow downstream / cascading failure | 5 fails in 30s โ open |
| L5 | BFT adaptive governor | Sustained attack / griefing / quorum attacks | Care-score gated |
MacBook and Oracle UK-South each run an nftables ruleset with rate-limited connection tracking. Per-source-IP new-connection rates cap at 100 packets/sec, with rapid-hash matching against a SIGIL-fed blocklist. The blocklist is updated via BFT council vote (quorum 17/33) with zero central authority. Recent additions are stored in a Bloom filter for memory efficiency.
Each DEFONEOS peer presents a 90-day-rotated Ed25519 cert. The TLS handshake itself is rate-limited per source at 1000 conns/sec. A peer presenting an unknown cert is dropped after 3 retries; presenting a revoked cert (CRL on SIGIL ledger) is dropped instantly. This prevents both brute-force handshake flood and cert-spam attacks.
Every MCP exposes a configurable token bucket: 60 req/min default, 600 req/min burst, refill 1 token/sec. Bucket state is stored in MacBook shared memory with SIGIL-anchored accounting โ every refill is a SIGIL entry. Critical MCPs (BFT council gateway, SIGIL ledger, escrow key store) have hard caps raised to 600/min with BFT-quorum approval required to exceed.
Each MCP tracks downstream latency in a sliding window. If 5 failures occur in 30 seconds, the breaker opens for 60s, rejecting all calls with a 503-equivalent SIGIL-anchored error. Half-open state after 60s sends one probe call; success closes the breaker, failure re-opens for exponential backoff (60s โ 120s โ 240s capped at 600s). State transitions are SIGIL-emitted and visible in the operator dashboard.
The top tier wraps the entire federation. A 33-agent BFT council votes on global rate-limit policy changes (quorum 23/33 standard, 27/33 supermajority for emergency rate-cut). The governor can declare "degraded mode" by 17/33 emergency vote, reducing all MCP quotas to 10% of nominal for a 5-minute window. Every governor action is SIGIL-anchored with a motion_id.
| # | Vector | Description | Mitigation |
|---|---|---|---|
| 1 | Volumetric SYN flood | Spoofed-source TCP SYN saturation | L1 nftables hashlimit + SYN cookies |
| 2 | Slowloris / slow-body | Held-open connections draining slots | L2 timeout 30s + L3 token bucket |
| 3 | MCP resource exhaustion | MCP allocates large memory / CPU per call | L3 token bucket + per-MCP CPU cap cgroup |
| 4 | BFT quorum griefing | Spam proposals to exhaust 33-agent council | L5 governor: 1 proposal/agent/hour cap |
| 5 | SIGIL ledger write flood | Compromised MCP emits 10K SIGILs/min | L3 SIGIL-tier rate-limit 100/min per MCP |
| 6 | Dead-letter queue DoS | Failure path fills disk | L4 circuit breaker + DLQ cap 10K entries |
| 7 | Circuit-breaker evasion | Rotating source IPs to dodge L3 | L1+L5: source fingerprint via mTLS cert |
Beyond static limits, DEFONEOS implements adaptive back-pressure: when downstream latency exceeds a moving threshold (default p95 > 2ร baseline for 60s), upstream token-bucket refill rate is multiplied by 0.5 (halving). This propagates pressure backward without dropping traffic, allowing the entire federation to slow gracefully under load rather than fail.
The reverse โ releasing pressure โ happens when p95 returns to baseline for 300s. Refill rate ramps back by 0.1 per minute (so a full recovery takes ~10 minutes). This damped release prevents oscillation. All back-pressure events emit SIGIL entries tagged back-pressure:{mcp}:{state} with care_score and ring_weight annotations.
Every rate-limit decision emits a SIGIL with the following schema:
Telemetry stays on sovereign WireGuard mesh. Grafana dashboards live on Oracle UK-South BFT gateway and MacBook M4 Pro. No external SaaS observability โ no Datadog, no Honeycomb, no New Relic. SIGIL entries are queryable through the local SIGIL ledger MCP.
| Standard | Requirement | How This Spec Satisfies It |
|---|---|---|
| NCSC CAF C1 | Resilience against commodity attacks | L1+L2 cover commodity DDoS |
| NCSC CAF C2 | Protecting against targeted attacks | L3-L5 adaptive + BFT governor |
| NIST SP 800-53 SC-5 | Denial of service protection | 5-tier defence + back-pressure |
| NIST SP 800-204D | Microservice DoS mitigation | Token bucket + circuit breaker |
| ISO 27001 A.13.2 | Information transfer DoS resilience | L1+L2 edge + adaptive governor |
| EU AI Act Art 15 | Robustness against DoS | Adaptive governor + care_score gate |
| JSP 440 Ch 7 | MOD network resilience | 5-tier model + sovereign-only |
| JSP 936 ยง4.6 | AI system availability | Back-pressure + degraded mode |
| UK DPA 2018 | Data residency | All telemetry UK-only |
| NIST AI 600-1 GV-4 | AI risk management | BFT governor + SIGIL audit |
All seven attack vectors tested in red-team exercise (tick-105 supply-chain + tick-107 DoS combined drill): 7/7 detected, 7/7 mitigated, 0 false-negatives, 3 false-positives (down from 6 in tick-100 โ pattern library expansion).
sovereign-mcp-status dashboard on MacBook M4 Promcp-ping with manual overridesovereign-recovery:{mcp_id}:RUNBOOK_L4_REPEATgovernor:DEGRADEDViolation of any red line triggers automatic isolation of the offending component and SIGIL red-line emission.