Skip to content
Snippets Groups Projects

Prevent streaming API denial-of-service (resolves #1019)

Merged Prevent streaming API denial-of-service (resolves #1019)
hazelnoot/prevent-streaming-dos into develop
Merged Hazelnoot requested to merge hazelnoot/prevent-streaming-dos into develop

What does this MR do?

Patches multiple potential DoS vectors in the streaming API:

  • Use a bucket limiter instead of sliding-scale.
  • Limit the number of active connections per client.
  • Automatically close the connection when a rate limit is hit.
  • Automatically evict note cache when a connection closes.
  • Automatically cancel note subscriptions when a connection closes.
  • Limit the number of note subscriptions to 256 per connection. Excess subscriptions will be automatically canceled in LIFO order.
  • Limit UPGRADE requests by user ID instead of request IP, when applicable.
  • Fix Channel leak when two channels share the same ID.
  • Optimize storage, index, and lookup for cached notes and channels.

Contribution Guidelines

By submitting this merge request, you agree to follow our Contribution Guidelines

  • I agree to follow this project's Contribution Guidelines
  • I have made sure to test this merge request
Edited by Hazelnoot

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • dakkar
  • Hazelnoot added 50 commits

    added 50 commits

    • b31bcda2...920bf71e - 40 commits from branch develop
    • 18655386 - convert streaming rate limit to bucket
    • bf1c9b67 - close websocket when rate limit exceeded
    • 83132949 - limit the number of note subscriptions per connection
    • b8fd9d0b - clear subscriptions when connection closes
    • 045ff5d2 - make sure that note subscriptions can't stay above limit
    • 14a7309c - avoid leaking cached notes in WS connection
    • eff73218 - avoid duplicate channels in WS connection
    • c41d617e - limit the number of active connections per client, and limit upgrade requests by user
    • 86e34175 - SkRateLimiterService revision 3: cache lockouts in memory to avoid redis calls
    • fafb8113 - increase limits on WS note subscriptions and cached notes

    Compare with previous version

    Toggle commit list
  • Hazelnoot marked this merge request as draft

    marked this merge request as draft

  • Hazelnoot added 2 commits

    added 2 commits

    • 47ea8527 - fix wsmessage rate limit definition
    • 922a7ba1 - track the number of concurrent requests to redis, and bypass if the request is guaranteed to reject

    Compare with previous version

  • Hazelnoot resolved all threads

    resolved all threads

  • Hazelnoot marked this merge request as ready

    marked this merge request as ready

  • Hazelnoot marked this merge request as draft

    marked this merge request as draft

  • Hazelnoot marked this merge request as ready

    marked this merge request as ready

  • Hazelnoot marked the checklist item I have made sure to test this merge request as completed

    marked the checklist item I have made sure to test this merge request as completed

  • Hazelnoot resolved all threads

    resolved all threads

  • dakkar approved this merge request

    approved this merge request

  • Marie approved this merge request

    approved this merge request

  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
    • Please register or sign in to reply