Ratelimits and security concerns for public servers #81
Comments
|
yeah there is no protection whatsoever, you can fuck up a server probably quite easily these protective features are in the roadmap but got never implemented. tw.thissma.fr is deployed in a docker with a size-limited storage. Glad to hear you could deploy easily!! |
|
Okay thanks for the fast response. Could also leave an issue open for ratelimits but I think it would be cleaner to recreate one if needed. I don't want to mess with your todo management. I guess I will take down at least my backend until I figure out a good way to sandbox it or until you implemented some ratelimits :P |
|
keeping open :) |
|
Okay if it stays open here are some things I would like to see:
And then at some point it would also be nice to have per user limits if there is ip tracking or accounts. But global limits should be there from the start with sane defaults. |
|
Ok I implemented a few protections
I don't have any rate limiting for websocket messages. Idk how to do that. |
|
Amazing. Sounds good enough to me. Lets close the issue? |
|
Wait what was your motivation for http ratelimits? What problem does it solve? The limits in the readme sound a bit strict.
So if a lan party of 10 people wants to collaborate together they run into rate limits? Or if my browser requests more than 8 resources in the background it does so as well (like style.css, favicon.ico, index.html, mapthumbnail.png)? What happens on http ratelimit? Does it retry? Delay? Will the errors be recoverable for a regular user? Imo traffic rate limiting is dangerous. It could create annoyances for users. A legit power user should never run into traffic rate limits and if he does it should be handled cleanly with some error popup in the ui. |
|
Ah, I agree that the ratelimit is too strict. Im using the default settings of
the http server does not only serve the static files, it can also query and modify maps with many GET, POST, PUT and DELETE routes. It complements the websocket server. The routes correspond roughly to the mapdir format. For example,
No, the rate limit is per ip and the default max connexions is 100.
good points, I'll raise the default burst limit to 100 and make it configurable. I'll make sure that an error popup is shown in the UI. it may be already the case. IIRC when a request fails twwe rollback and shows the error msg. |
Per ip does not always mean per person. That's why I said lan party. Or is it per ip and port combination? Also why do you want to rate limit http and websockets? What problem does it solve. |
oops, misread
just ip, you're perfectly right the LAN session would be an issue.
The problem it tries to solve is DOS attacks. Requests to maps content need to be synchronized on the server, so the server is full of mutexes everywhere. A user could freeze a map by simply spamming a request and keeping the mutex for themselves. For example if you spam A smarter fix is to give connections a 'niceness' score that decreases the more they spam the server and move them down the queue. But this would be significantly harder to implement. I relaxed the limits and made them configurable, so feel free to disable rate-limits. |
|
Oh I see. Mutexs yes that sounds important to protect. A simple shell script with a while loop and curl should not take down a map. |
Is https://tw.thissma.fr/ a unedited version of the main branch? Is it save for me to also host a public instance? Have there been any trolling incidents? Are there ratelimits on anything? Can someone just fill up the hard drive with maps?
I quickly did a test deploy to https://editor.zillyhuhn.com/ which was super smooth BTW. And was wondering if i can just leave it there and forget about it :D
The text was updated successfully, but these errors were encountered: