diff --git a/docs/running-in-production.rst b/docs/running-in-production.rst
index 2e435f83..5fe4684b 100644
--- a/docs/running-in-production.rst
+++ b/docs/running-in-production.rst
@@ -48,3 +48,87 @@ precommit from the WAL.
 
 Make sure to read about `WAL corruption
 <./specification/corruption.html#wal-corruption>__` and recovery strategies.
+
+DOS Exposure and Mitigation
+---------------------------
+
+Validators are supposed to setup `Sentry Node Architecture
+<https://blog.cosmos.network/tendermint-explained-bringing-bft-based-pos-to-the-public-blockchain-domain-f22e274a0fdb>__`
+to prevent Denial-of-service attacks. You can read more about it `here
+<https://github.com/tendermint/aib-data/blob/develop/medium/TendermintBFT.md>__`.
+
+Blockchain Reactor
+~~~~~~~~~~~~~~~~~~
+
+Defines ``maxMsgSize`` for the maximum size of incoming messages,
+``SendQueueCapacity`` and ``RecvBufferCapacity`` for maximum sending and
+receiving buffers respectively. These are supposed to prevent amplification
+attacks by setting up the upper limit on how much data we can receive & send to
+a peer.
+
+Sending incorrectly encoded data will result in stopping the peer.
+
+Consensus Reactor
+~~~~~~~~~~~~~~~~~
+
+Defines 4 channels: state, data, vote and vote_set_bits. Each channel
+has  ``SendQueueCapacity`` and ``RecvBufferCapacity`` and
+``RecvMessageCapacity`` set to ``maxMsgSize``.
+
+Sending incorrectly encoded data will result in stopping the peer.
+
+Evidence Reactor
+~~~~~~~~~~~~~~~~
+
+`#1503 <https://github.com/tendermint/tendermint/issues/1503>__`
+
+Sending invalid evidence will result in stopping the peer.
+
+Sending incorrectly encoded data or data exceeding ``maxMsgSize`` will result
+in stopping the peer.
+
+PEX Reactor
+~~~~~~~~~~~
+
+Defines only ``SendQueueCapacity``. `#1503 <https://github.com/tendermint/tendermint/issues/1503>__`
+
+Implements rate-limiting by enforcing minimal time between two consecutive
+``pexRequestMessage`` requests. If the peer sends us addresses we did not ask,
+it is stopped.
+
+Sending incorrectly encoded data or data exceeding ``maxMsgSize`` will result
+in stopping the peer.
+
+Mempool Reactor
+~~~~~~~~~~~~~~~
+
+`#1503 <https://github.com/tendermint/tendermint/issues/1503>__`
+
+Mempool maintains a cache of the last 10000 transactions to prevent replaying
+old transactions (plus transactions coming from other validators, who are
+continually exchanging transactions). Read `Replay Protection
+<./app-development.html#replay-protection>` for details.
+
+Sending incorrectly encoded data or data exceeding ``maxMsgSize`` will result
+in stopping the peer.
+
+P2P
+~~~
+
+The core of the Tendermint peer-to-peer system is ``MConnection``. Each
+connection has ``MaxPacketMsgPayloadSize``, which is the maximum packet size
+and bounded send & receive queues. One can impose restrictions on send &
+receive rate per connection (``SendRate``, ``RecvRate``).
+
+RPC
+~~~
+
+Endpoints returning multiple entries are limited by default to return 30
+elements (100 max).
+
+Rate-limiting and authentication are another key aspects to help protect
+against DOS attacks. While in the future we may implement these features, for
+now, validators are supposed to use external tools like `NGINX
+<https://www.nginx.com/blog/rate-limiting-nginx/>__` or `traefik
+<https://docs.traefik.io/configuration/commons/#rate-limiting>__` to archive
+the same things.