Merge pull request #105 from LiskHQ/97-dos-attack-leads-to-exhaust-no…

…de-memory_core_v1.3.1 DoS attack leads to exhaust node's memory - Closes #97
LiskArchive · Dec 4, 2018 · 63cc257 · 63cc257
2 parents 87a4f05 + e0c735c
commit 63cc257
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 3 deletions.
diff --git a/app.js b/app.js
@@ -761,6 +761,23 @@ d.run(() => {
 				 * @param {function} cb - Callback function
 				 */
 				function(scope, cb) {
+					// Security vulnerabilities fixed by Node v8.14.0 - "Slowloris (cve-2018-12122)"
+					scope.network.server.headersTimeout =
+						appConfig.api.options.limits.headersTimeout;
+					// Disconnect idle clients
+					scope.network.server.setTimeout(
+						appConfig.api.options.limits.serverSetTimeout
+					);
+
+					scope.network.server.on('timeout', socket => {
+						scope.logger.info(
+							`Disconnecting idle socket: ${socket.remoteAddress}:${
+								socket.remotePort
+							}`
+						);
+						socket.destroy();
+					});
+
 					scope.network.server.listen(
 						scope.config.httpPort,
 						scope.config.address,
@@ -771,6 +788,20 @@ d.run(() => {
 
 							if (!err) {
 								if (scope.config.api.ssl.enabled) {
+									// Security vulnerabilities fixed by Node v8.14.0 - "Slowloris (cve-2018-12122)"
+									scope.network.https.headersTimeout =
+										appConfig.api.options.limits.headersTimeout;
+									scope.network.https.setTimeout(
+										appConfig.api.options.limits.serverTimeout
+									);
+									scope.network.https.on('timeout', socket => {
+										scope.logger.info(
+											`Disconnecting idle socket: ${socket.remoteAddress}:${
+												socket.remotePort
+											}`
+										);
+										socket.destroy();
+									});
 									scope.network.https.listen(
 										scope.config.api.ssl.options.port,
 										scope.config.api.ssl.options.address,

diff --git a/config/default/config.json b/config/default/config.json
@@ -48,7 +48,9 @@
 				"max": 0,
 				"delayMs": 0,
 				"delayAfter": 0,
-				"windowMs": 60000
+				"windowMs": 60000,
+				"headersTimeout": 5000,
+				"serverSetTimeout": 20000
 			},
 			"cors": {
 				"origin": "*",

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "lisk",
-	"version": "1.3.0",
+	"version": "1.3.1-rc.0",
 	"description": "Lisk blockchain application platform",
 	"author":
 		"Lisk Foundation <admin@lisk.io>, lightcurve GmbH <admin@lightcurve.io>",

diff --git a/schema/config.js b/schema/config.js
@@ -190,8 +190,25 @@ module.exports = {
 									windowMs: {
 										type: 'integer',
 									},
+									headersTimeout: {
+										type: 'integer',
+										minimum: 1,
+										maximum: 40000,
+									},
+									serverSetTimeout: {
+										type: 'integer',
+										minimum: 1,
+										maximum: 120000,
+									},
 								},
-								required: ['max', 'delayMs', 'delayAfter', 'windowMs'],
+								required: [
+									'max',
+									'delayMs',
+									'delayAfter',
+									'windowMs',
+									'headersTimeout',
+									'serverSetTimeout',
+								],
 							},
 							cors: {
 								type: 'object',

diff --git a/scripts/update_config.js b/scripts/update_config.js
@@ -232,6 +232,13 @@ history.version('1.2.0-rc.x', version => {
 		return config;
 	});
 });
+history.version('1.3.1-rc.0', version => {
+	version.change('add http timeout items', config => {
+		config.api.options.limits.headersTimeout = 5000;
+		config.api.options.limits.serverSetTimeout = 20000;
+		return config;
+	});
+});
 
 const askPassword = (message, cb) => {
 	if (program.password && program.password.trim().length !== 0) {