diff --git a/src/net_processing.cpp b/src/net_processing.cpp
--- a/src/net_processing.cpp
+++ b/src/net_processing.cpp
@@ -482,11 +482,19 @@
     bool fSupportsDesiredCmpctVersion;
 
     /**
-     * State used to enforce CHAIN_SYNC_TIMEOUT
-     * Only in effect for outbound, non-manual, full-relay connections, with
-     * m_protect == false
-     * Algorithm: if a peer's best known block has less work than our tip, set
-     * a timeout CHAIN_SYNC_TIMEOUT seconds in the future:
+     * State used to enforce CHAIN_SYNC_TIMEOUT and EXTRA_PEER_CHECK_INTERVAL
+     * logic.
+     *
+     * Both are only in effect for outbound, non-manual, non-protected
+     * connections. Any peer protected (m_protect = true) is not chosen for
+     * eviction. A peer is marked as protected if all of these are true:
+     *   - its connection type is IsBlockOnlyConn() == false
+     *   - it gave us a valid connecting header
+     *   - we haven't reached MAX_OUTBOUND_PEERS_TO_PROTECT_FROM_DISCONNECT yet
+     *   - it has a better chain than we have
+     *
+     * CHAIN_SYNC_TIMEOUT:  if a peer's best known block has less work than our
+     * tip, set a timeout CHAIN_SYNC_TIMEOUT seconds in the future:
      *   - If at timeout their best known block now has more work than our tip
      * when the timeout was set, then either reset the timeout or clear it
      * (after comparing against our current tip's work)
@@ -494,6 +502,10 @@
      * did when the timeout was set, then send a getheaders message, and set a
      * shorter timeout, HEADERS_RESPONSE_TIME seconds in future. If their best
      * known block is still behind when that new timeout is reached, disconnect.
+     *
+     * EXTRA_PEER_CHECK_INTERVAL: after each interval, if we have too many
+     * outbound peers, drop the outbound one that least recently announced us a
+     * new block.
      */
     struct ChainSyncTimeoutState {
         //! A timeout used for checking whether our peer has sufficiently
@@ -2502,12 +2514,14 @@
             }
         }
 
+        // If this is an outbound full-relay peer, check to see if we should
+        // protect it from the bad/lagging chain logic.
+        // Note that outbound block-relay peers are excluded from this
+        // protection, and thus always subject to eviction under the bad/lagging
+        // chain logic.
+        // See ChainSyncTimeoutState.
         if (!pfrom.fDisconnect && pfrom.IsFullOutboundConn() &&
             nodestate->pindexBestKnownBlock != nullptr) {
-            // If this is an outbound full-relay peer, check to see if we should
-            // protect it from the bad/lagging chain logic. Note that
-            // block-relay-only peers are already implicitly protected, so we
-            // only consider setting m_protect for the full-relay peers.
             if (g_outbound_peers_with_protect_from_disconnect <
                     MAX_OUTBOUND_PEERS_TO_PROTECT_FROM_DISCONNECT &&
                 nodestate->pindexBestKnownBlock->nChainWork >=