search

jhurliman / node-rate-limiter

A generic rate limiter for node.js. Useful for API clients, web crawling, or other tasks that need to be throttled
MIT License
1.5k stars 132 forks source link

Module and socket.io #13

Closed Neumann-Valle closed 9 years ago

Neumann-Valle commented 9 years ago

Hi,

Don't know where to comment this. But how would node-rate-limited be implemented along with socket.io , how Would it be used to Throttle a client.id at sending events?

Hope I get an idea , would like to use your Module..

regards

ghost commented 9 years ago

i put this in websocket.js: under dataHandler = realHandler

'if (data) { self.bytesReceived += data.length; //Flood Control Check ~~~~~~~~~~ //Flood Control Check ~~~~~~~~~~ //Flood Control Check ~~~~~~~~~~ console.log(self.last_session_request);

  self.last_session_request = Date.now();

  limiter.removeTokens(1, function(err, remainingRequests) {

if (remainingRequests < 0) { self.close(1002, ''); //response.writeHead(429, {'Content-Type': 'text/plain;charset=UTF-8'}); //response.end('429 Too Many Requests - your IP is being rate limited'); } else { console.log('Herp'); } }); console.log(self.last_session_request); //Flood Control Check ~~~~~~~~~~ //Flood Control Check ~~~~~~~~~~ //Flood Control Check ~~~~~~~~~~ self._receiver.add(data); }'

And at the top, I put: var RateLimiter = require('limiter').RateLimiter; var limiter = new RateLimiter(12, 'hour', true); // fire CB immediately

Works fine, but im just testing it for websockets. But, I don't exactly how it bans the user, or for how long lol.

Neumann-Valle commented 9 years ago

Hi, it is useless I had tested that way, but the script kiddie is spoofing ORIGIN set in socket.io allowing him to edit my client side and or sending loops that kills the server, yes you can also ban the aggressor ip.. but won't do much if he is also spoofing the IP.

ghost commented 9 years ago

Utan, use socket.upgradeReq.connection.remoteAddress Instead of origin! Store the users IP in a file everytime they surprass the flood limit, then use fail2ban or some type of system to ban the ip's at the network level. (Iptables for linux, etc).

Neumann-Valle commented 9 years ago

Does socket.upgradeReq.connection.remoteAddress is available in socket.use(); method also that's the user ip? What I need is a way to really make sure the client is coming from an allowed domain.. can you explain if they spoofed the remote address that also wouldn't spoof in the upgradeReq?

Sorry never use that propertie..

jhurliman commented 9 years ago

Since this discussion is trailing outside of the scope of a node-rate-limiter bug report I'm going to close the ticket.