How to protect your miners from DDOS attack

James4u — Tue, 17 Mar 2026 04:25:28 +0000

Transparency Note

This article was generated with the assistance of AI and carefully reviewed, edited, and validated by the author.

Running a miner in the Bittensor ecosystem is exciting — you’re literally participating in a global, decentralized intelligence market. But there’s a harsh reality that many subnet operators are now facing:

👉 Your Axon endpoint is exposed to the entire internet.
👉 And yes — it will get attacked.

In this post, I’ll show you a simple, practical, and effective way to protect your miner using ufw (Uncomplicated Firewall).

No complex infrastructure. No expensive services. Just a clean idea:

Only allow validators. Block everyone else.

⚠️ The Problem

If you’re running a miner, your Axon is public.

That means:

Anyone can send requests to your port
Bots can spam your endpoint
Attackers can flood your node (DDoS)

And recently, this has been happening across multiple subnets.

The key insight is:

❌ You don’t need the whole internet
✅ You only need validators

💡 The Solution (In One Sentence)

Whitelist validator IPs. Deny everything else.

🔧 Why UFW?

I chose ufw because it’s:

Simple
Already installed on most servers
Built on top of iptables (so it’s powerful)
Easy to audit and maintain

🚀 Step-by-Step Setup

1. Install UFW

sudo apt update
sudo apt install ufw -y

2. Set Default Rules

Block all incoming traffic by default:

sudo ufw default deny incoming
sudo ufw default allow outgoing

3. Don’t Lock Yourself Out (Allow SSH!)

sudo ufw allow ssh

4. Allow Only Validators

Let’s say your Axon runs on port 8091.

sudo ufw allow from <VALIDATOR_IP> to any port 8091

Repeat this for each validator in your subnet.

5. Enable Firewall

sudo ufw enable
sudo ufw status

🧠 The Gotcha (Important!)

This is where most people mess up:

Validator IPs are NOT static.

Validators can:

Move to a new machine
Change cloud providers
Rotate IPs

If you hardcode IPs and forget about it:

💥 Your miner stops receiving requests
💥 Your performance drops
💥 Your rewards go down

🔄 How to Handle Validator Changes

Here are a few practical strategies:

Option 1 — Manual Updates

Check validator IPs periodically
Update UFW rules when needed

Option 2 — Automate It (Recommended)

Basic idea:

# Pseudo logic
1. Fetch validator list (metagraph)
2. Extract IPs
3. Compare with UFW rules
4. Update rules automatically

Run this every few minutes with cron.

⚖️ Trade-offs

Setup	Security	Reliability
Open Axon	❌ Low	✅ High
Strict Whitelist	✅ High	⚠️ Medium
Automated Whitelist	✅ High	✅ High

🧭 Bigger Picture (Why This Matters)

Bittensor is designed as an open and permissionless system.

That’s powerful — but it also means:

Security is your responsibility.

The protocol defines incentives.
But you define your infrastructure.

✅ Final Takeaway

You don’t need enterprise-grade defenses to survive DDoS.

Sometimes the best solution is the simplest:

Only accept traffic from participants who matter.

Happy Mining - James4u