[Audit - Personal Server] - Implement Application-Level Rate Limiting

[glenn-sorrentino]

Implement Application-Level Rate Limiting

Background

In our ongoing efforts to enhance security and ensure service availability, we have identified a need to implement application-level rate limiting. This approach focuses on monitoring and controlling user behavior directly within the application, rather than relying solely on IP-based rate limiting, which can be evaded or cause unintended access issues, especially with users coming from shared networks or using the Tor network.

Objective

The primary objective is to implement a rate limiting mechanism at the application level that effectively prevents abuse and ensures equitable resource usage without depending on the user's IP address. This mechanism should limit the number of messages (or any other specified actions) a user can send within a certain timeframe, thereby mitigating potential denial of service (DoS) attacks or misuse of the service.

Proposal

• Rate Limiting Strategy: Define a clear strategy for rate limiting at the application level, including identifying the actions to be limited (e.g., message sending, API requests), setting reasonable limits based on average user behavior, and determining the timeframe for these limits (e.g., per minute, per hour).

• User Identification: Implement a method for uniquely identifying users in a way that respects their privacy but allows for effective rate limiting. This could involve using session tokens, user account identifiers, or other mechanisms that do not rely solely on IP address.

• Feedback Mechanism: Provide users with immediate feedback when a rate limit is approached or exceeded, including clear messaging on when they can resume the limited action and options for users who legitimately need higher limits.

• Monitoring and Adjustment: Establish monitoring for the rate limiting mechanism to analyze its effectiveness and impact on user experience. Adjust rate limits and strategies as needed based on this analysis.

Action Items

• [ ] Research and select a rate limiting library or framework compatible with our application stack.
• [ ] Design the rate limiting mechanism, including defining limits and identifying actions to be limited.
• [ ] Implement the rate limiting mechanism in a development or staging environment for testing.
• [ ] Develop user feedback messages and mechanisms for users who hit rate limits.
• [ ] Conduct testing to ensure the rate limiting works as expected and does not negatively impact user experience.
• [ ] Monitor and adjust the rate limiting post-deployment based on user feedback and system performance.

Expected Impact

By implementing application-level rate limiting, we aim to enhance our application's security and availability by preventing abuse and ensuring that resources are used fairly among all users. This approach will help mitigate potential DoS attacks and other forms of abuse without relying on IP address-based restrictions, thereby supporting a more inclusive and accessible service for all users, including those using privacy-enhancing technologies like the Tor network.

[glenn-sorrentino]

Adding Flask-Limiter for application-side DOS mitigation

[glenn-sorrentino]

Limits page requests to 10 per minute per session

[glenn-sorrentino]

update to use Redis for storage.

[glenn-sorrentino]

• pass IPs to redis for DOS mitigation enforcement.
• log entries delete when ban is removed.
• right now we're using "per minute".