Closed valentinvichnal closed 4 years ago
yasserf
commented
4 years ago Nicely done. Ideally we would have permissions use a combined feature but this works well too. How would you like to publish it in terms of DS? Just link to it from the website?
valentinvichnal
commented
4 years ago Thanks, yes I think a link would be enough until I rewrite the config file loading (to use yml). I've posted this only to help people find the plugin if they search for anti-spam plugin.
yasserf
commented
4 years ago Hey @valentinvichnal, could you please add this to the website? Doesn’t have to be long or have a guide. There’s no custom plugin section for now but you can put this in the permission section for the time being as rate limiting is pretty much a universal feature, we can move it later on.
Thanks!
valentinvichnal
commented
4 years ago Sure, I will do that!
I've created a rate limiter plugin for deepstream (v4 and above), to protect against simple DDoS and WebSocket attacks, it works together with the Valve permission plugin.
You can limit the number of RPC calls a user can make every minute.
https://github.com/valentinvichnal/deepstream.io-permission-ratelimiter
Use case
Protect against DoS attacks
Defense against DoS attacks on the network level is always better than on the application level, but WebSocket protection costs a lot, so this plugin can be useful.
A WebSocket attack is easy to do, any user can run this code in the browser's console:
A deepstream server might handle this load (1-2 million req/s) but the RPC providers certainly won't, especially if RPCs do Database operations.
Protect against spam
With this plugin you can prevent server crash if you limit every user to 100 RPC/min, but 100 new comment every minute is still too much.
To prevent spamming you can set higher costs for the
comment.createRPC, and limit it to 1-2 call/min.