#318 Rate limiting to prevent accidental/intentional denial-of-service
Reporter
google@dbb.io
Owner
MattJ
Created
Updated
Stars
★ (1)
Tags
Type-Enhancement
Status-Fixed
google@dbb.io
on
I encountered a nasty bug in Trillian: http://beta:beta@bugs.ceruleanstudios.com/show_bug.cgi?id=13533 (user/pass: beta/beta) that caused me to DOS my own server by flooding it with <presence /> stanzas. What's worse is that they would be sent to other servers of users on my roster. Potentially harming other servers in the process.
To Prosody's credit it didn't go down or even use that much memory, it just happily kept processing all the <presence />s while consuming 100% cpu.
Therefore, it would be nice if Prosody would detect excessive communication from a client, kill the connection, and prohibit further connections for some period of time. Of course, ideally, all the specifics would be configurable policy.
MattJ
on
Hello friend!
We have a plugin for exactly what you describe, available in prosody-modules: https://code.google.com/p/prosody-modules/wiki/mod_limits
It still needs more testing before it can be bundled with Prosody itself (something I'd like to do in the release after the upcoming one), but a bunch of servers are now running it successfully.
Give it a try and let us know how it goes :)
I encountered a nasty bug in Trillian: http://beta:beta@bugs.ceruleanstudios.com/show_bug.cgi?id=13533 (user/pass: beta/beta) that caused me to DOS my own server by flooding it with <presence /> stanzas. What's worse is that they would be sent to other servers of users on my roster. Potentially harming other servers in the process. To Prosody's credit it didn't go down or even use that much memory, it just happily kept processing all the <presence />s while consuming 100% cpu. Therefore, it would be nice if Prosody would detect excessive communication from a client, kill the connection, and prohibit further connections for some period of time. Of course, ideally, all the specifics would be configurable policy.
Hello friend! We have a plugin for exactly what you describe, available in prosody-modules: https://code.google.com/p/prosody-modules/wiki/mod_limits It still needs more testing before it can be bundled with Prosody itself (something I'd like to do in the release after the upcoming one), but a bunch of servers are now running it successfully. Give it a try and let us know how it goes :)
ChangesExcellent, I'll give it a shot.