Implemented improvements for rate limiting

okTurtles · Dec 21, 2014 · 5e985d6 · 5e985d6 · taoeffect · Dec 25, 2014
1 parent 16fa10e
commit 5e985d6
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 9 deletions.
diff --git a/src/lib/config.coffee b/src/lib/config.coffee
@@ -68,6 +68,27 @@ module.exports = (dnschain) ->
                 # Example: "mywebsite.com" : 9000  # This tells the server to send traffic meant to "mywebsite.com" to port 9000. It'll still be encrypted when it reaches port 9000
             }
 
+        # WARNING: Do not change these settings unless you know exactly what you're doing.
+        # Read the source code, read the Bottleneck docs,
+        # make sure you understand how it might make your server complicit in DNS Amplification Attacks and your server might be taken down as a result.
+        rateLimiting:
+            dns:
+                maxConcurrent: 1
+                minTime: 200
+                highWater: 2
+                strategy: Bottleneck.strategy.BLOCK
+                penalty: 7000
+            http:
+                maxConcurrent: 2
+                minTime: 150
+                highWater: 10
+                strategy: Bottleneck.strategy.OVERFLOW
+            https:
+                maxConcurrent: 2
+                minTime: 150
+                highWater: 10
+                strategy: Bottleneck.strategy.OVERFLOW
+
 
     nmcDefs =
         rpcport: 8336

diff --git a/src/lib/dns.coffee b/src/lib/dns.coffee
@@ -32,6 +32,7 @@ module.exports = (dnschain) ->
             @log = gNewLogger 'DNS'
             @log.debug "Loading DNSServer..."
             @method = gConf.get 'dns:oldDNSMethod'
+            @rateLimiting = gConf.get 'rateLimiting:dns'
 
             # this is just for development testing of NODE_DNS method
             # dns.setServers ['8.8.8.8']
@@ -55,8 +56,8 @@ module.exports = (dnschain) ->
             @server.on 'sockegError', (err) -> gErr err
             @server.on 'request', (req, res) =>
                 key = "dns-#{req.address.address}-#{req.question[0]?.name}"
-                limiter = gThrottle key, -> new Bottleneck 1, 200, 2, Bottleneck.strategy.BLOCK
-                limiter.changePenalty(7000).submit (@callback.bind @), req, res, null
+                limiter = gThrottle key, => new Bottleneck @rateLimiting.maxConcurrent, @rateLimiting.minTime, @rateLimiting.highWater, @rateLimiting.strategy
+                limiter.changePenalty(@rateLimiting.penalty).submit (@callback.bind @), req, res, null
             @server.serve gConf.get('dns:port'), gConf.get('dns:host')
 
             @log.info 'started DNS', gConf.get 'dns'

diff --git a/src/lib/globals.coffee b/src/lib/globals.coffee
@@ -107,11 +107,7 @@ module.exports = (dnschain) ->
             gLogger.error e.stack
             throw e
 
-        gThrottle: (key, makeLimiter) ->
-            if limiters[key]?
-                limiters[key]
-            else
-                limiters[key] = makeLimiter()
+        gThrottle: (key, makeLimiter) -> limiters[key] ? (limiters[key] = makeLimiter())
 
         # TODO: this function should take one parameter: an IP string
         #       and return either 'A' or 'AAAA'

diff --git a/src/lib/http.coffee b/src/lib/http.coffee
@@ -28,10 +28,11 @@ module.exports = (dnschain) ->
             # @log = @dnschain.log.child server: "HTTP"
             @log = gNewLogger 'HTTP'
             @log.debug "Loading HTTPServer..."
+            @rateLimiting = gConf.get 'rateLimiting:http'
 
             @server = http.createServer((req, res) =>
                 key = "http-#{req.connection?.remoteAddress}"
-                limiter = gThrottle key, -> new Bottleneck 2, 150, 10, Bottleneck.strategy.OVERFLOW
+                limiter = gThrottle key, => new Bottleneck @rateLimiting.maxConcurrent, @rateLimiting.minTime, @rateLimiting.highWater, @rateLimiting.strategy
                 limiter.submit (@callback.bind @), req, res, null
             ) or gErr "http create"
             @server.on 'error', (err) -> gErr err

diff --git a/src/lib/https.coffee b/src/lib/https.coffee
@@ -72,10 +72,11 @@ module.exports = (dnschain) ->
         constructor: (@dnschain) ->
             @log = gNewLogger "HTTPS"
             @log.debug gLineInfo "Loading HTTPS..."
+            @rateLimiting = gConf.get 'rateLimiting:https'
 
             @server = net.createServer (c) =>
                 key = "https-#{c.remoteAddress}"
-                limiter = gThrottle key, -> new Bottleneck 2, 150, 10, Bottleneck.strategy.OVERFLOW
+                limiter = gThrottle key, => new Bottleneck @rateLimiting.maxConcurrent, @rateLimiting.minTime, @rateLimiting.highWater, @rateLimiting.strategy
                 limiter.submit (@callback.bind @), c, null
             @server.on "error", (err) -> gErr err
             @server.on "close", -> gErr "HTTPS server was closed unexpectedly."