software

How to protect your miners from DDOS attack

Published: (March 17, 2026 at 12:25 AM EDT)
3 min read
Source: Dev.to

Source: Dev.to

Transparency Note
This article was generated with the assistance of AI and carefully reviewed, edited, and validated by the author.

The Problem

If you’re running a miner, your Axon is public. That means:

  • Anyone can send requests to your port
  • Bots can spam your endpoint
  • Attackers can flood your node (DDoS)

Recently this has been happening across multiple subnets.

Key insight

  • ❌ You don’t need the whole internet
  • ✅ You only need validators

The Solution (In One Sentence)

Whitelist validator IPs. Deny everything else.

Why UFW?

I chose ufw because it’s:

  • Simple
  • Already installed on most servers
  • Built on top of iptables (so it’s powerful)
  • Easy to audit and maintain

Step-by-Step Setup

1. Install UFW

sudo apt update
sudo apt install ufw -y

2. Set Default Rules

Block all incoming traffic by default:

sudo ufw default deny incoming
sudo ufw default allow outgoing

3. Don’t Lock Yourself Out (Allow SSH!)

sudo ufw allow ssh

4. Allow Only Validators

Assume your Axon runs on port 8091.

sudo ufw allow from  to any port 8091

Repeat this command for each validator in your subnet.

5. Enable Firewall

sudo ufw enable
sudo ufw status

The Gotcha (Important!)

Validator IPs are not static. Validators can move to a new machine, change cloud providers, or rotate IPs. If you hard‑code IPs and forget to update them:

  • 💥 Your miner stops receiving requests
  • 💥 Your performance drops
  • 💥 Your rewards go down

How to Handle Validator Changes

Option 1 — Manual Updates

  • Check validator IPs periodically
  • Update UFW rules when needed

Option 2 — Automate It (Recommended)

Basic idea:

# Pseudo logic
1. Fetch validator list (metagraph)
2. Extract IPs
3. Compare with UFW rules
4. Update rules automatically

Run this script every few minutes with cron.

Trade‑offs

SetupSecurityReliability
Open Axon❌ Low✅ High
Strict Whitelist✅ High⚠️ Medium
Automated Whitelist✅ High✅ High

Bigger Picture (Why This Matters)

Bittensor is designed as an open and permissionless system. That’s powerful—but it also means security is your responsibility. The protocol defines incentives, but you define your infrastructure.

Final Takeaway

You don’t need enterprise‑grade defenses to survive DDoS. Sometimes the best solution is the simplest:

Only accept traffic from participants who matter.

Happy mining!

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »