-
Notifications
You must be signed in to change notification settings - Fork 528
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
11 changed files
with
165 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
98 changes: 98 additions & 0 deletions
98
core/components/WebServer/middlewares/globalRateLimiterMw.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
const modulename = 'WebServer:RateLimiter'; | ||
import consoleFactory from '@extras/console'; | ||
import { isIpAddressLocal } from '@extras/isIpAddressLocal'; | ||
const console = consoleFactory(modulename); | ||
|
||
|
||
/* | ||
Expected requests per user per minute: | ||
50 usual | ||
800 live console with ingame + 2 web pages | ||
2300 very very very heavy behavior | ||
*/ | ||
|
||
|
||
//Config | ||
const DDOS_THRESHOLD = 20_000; | ||
const MAX_RPM_DEFAULT = 5000; | ||
const MAX_RPM_UNDER_ATTACK = 2500; | ||
const DDOS_COOLDOWN_MINUTES = 15; | ||
|
||
//Vars | ||
const bannedIps = new Set<string>(); | ||
const reqsPerIp = new Map<string, number>(); | ||
let httpRequestsCounter = 0; | ||
let bansPendingWarn: string[] = []; | ||
let minutesSinceLastAttack = Number.MAX_SAFE_INTEGER; | ||
|
||
|
||
/** | ||
* Process the counts and declares a DDoS or not, as well as warns of new banned IPs. | ||
* Note if the requests are under the DDOS_THRESHOLD, banned ips will be immediately unbanned, so | ||
* in this case the rate limiter will only serve to limit instead of banning these IPs. | ||
*/ | ||
setInterval(() => { | ||
if (httpRequestsCounter > DDOS_THRESHOLD) { | ||
minutesSinceLastAttack = 0; | ||
const numberFormatter = new Intl.NumberFormat('en-US'); | ||
console.majorMultilineError([ | ||
'You might be under a DDoS attack!', | ||
`txAdmin got ${numberFormatter.format(httpRequestsCounter)} HTTP requests in the last minute.`, | ||
`The attacker IP addresses have been blocked until ${DDOS_COOLDOWN_MINUTES} mins after the attack stops.`, | ||
'Make sure you have a proper firewall setup and/or a reverse proxy with rate limiting.', | ||
'You can join https://discord.gg/txAdmin for support.' | ||
]); | ||
} else { | ||
minutesSinceLastAttack++; | ||
if (minutesSinceLastAttack > DDOS_COOLDOWN_MINUTES) { | ||
bannedIps.clear(); | ||
} | ||
} | ||
httpRequestsCounter = 0; | ||
reqsPerIp.clear(); | ||
if (bansPendingWarn.length) { | ||
console.warn('IPs blocked:', bansPendingWarn.join(', ')); | ||
bansPendingWarn = []; | ||
} | ||
}, 60_000); | ||
|
||
|
||
/** | ||
* Checks if an IP is allowed to make a request based on the rate limit per IP. | ||
* The rate limit ignores local IPs. | ||
* The limits are calculated based on requests per minute, which varies if under attack or not. | ||
* All bans are cleared 15 minutes after the attack stops. | ||
*/ | ||
const checkRateLimit = (remoteAddress: string) => { | ||
// Sanity check on the ip | ||
if (typeof remoteAddress !== 'string' || !remoteAddress.length) return false; | ||
|
||
// Counting requests per minute | ||
httpRequestsCounter++; | ||
|
||
// Whitelist all local addresses | ||
if (isIpAddressLocal(remoteAddress)) return true; | ||
|
||
// Checking if the IP is banned | ||
if (bannedIps.has(remoteAddress)) return false; | ||
|
||
// Check rate and count request | ||
const reqsCount = reqsPerIp.get(remoteAddress); | ||
if (reqsCount !== undefined) { | ||
const limit = minutesSinceLastAttack < DDOS_COOLDOWN_MINUTES | ||
? MAX_RPM_UNDER_ATTACK | ||
: MAX_RPM_DEFAULT; | ||
if (reqsCount > limit) { | ||
bannedIps.add(remoteAddress); | ||
bansPendingWarn.push(remoteAddress); | ||
return false; | ||
} | ||
reqsPerIp.set(remoteAddress, reqsCount + 1); | ||
} else { | ||
reqsPerIp.set(remoteAddress, 1); | ||
} | ||
return true; | ||
} | ||
|
||
export default checkRateLimit; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
const modulename = 'IpChecker'; | ||
import consoleFactory from '@extras/console'; | ||
const console = consoleFactory(modulename); | ||
|
||
const extendedAllowedLanIps: string[] = []; | ||
|
||
|
||
/** | ||
* Return if the IP Address is a loopback interface, LAN, detected WAN or any other | ||
* IP that is registered by the user via the forceInterface convar or config file. | ||
* | ||
* This is used to secure the webpipe auth and the rate limiter. | ||
*/ | ||
export const isIpAddressLocal = (ipAddress: string): boolean => { | ||
return ( | ||
/^(127\.|192\.168\.|10\.|::1|fd00::)/.test(ipAddress) | ||
|| extendedAllowedLanIps.includes(ipAddress) | ||
) | ||
} | ||
|
||
|
||
/** | ||
* Used to register a new LAN interface. | ||
* Added automatically from forceInterface, zapHosting config and banner.js after detecting the WAN address. | ||
*/ | ||
export const addLocalIpAddress = (ipAddress: string): void => { | ||
console.verbose.debug(`Adding local IP address: ${ipAddress}`); | ||
extendedAllowedLanIps.push(ipAddress); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters