OxideTalis/oxidetalis
OxideTalis/oxidetalis
1
Fork 0
Code Issues 10 Pull requests Projects 1 Releases Activity Actions

Rate limiting websocket messages #12

New issue
Open
opened 2024-07-07 16:00:50 +02:00 by awiteb · 9 comments
awiteb commented 2024-07-07 16:00:50 +02:00
Owner
Copy link

Now, the websocket server is not rate limiting the messages. This can be a
problem if a user sends a lot of messages in a short period of time. This can be
used to spam the server and cause a denial of service.

I think about storing the connection ratelimit data in the SocketUserData
struct, and then check if the user has reached the limit before handling its
message.

Now, the websocket server is not rate limiting the messages. This can be a problem if a user sends a lot of messages in a short period of time. This can be used to spam the server and cause a denial of service. I think about storing the connection ratelimit data in the `SocketUserData` struct, and then check if the user has reached the limit before handling its message.
awiteb added the
Kind/Feature
Reviewed
Confirmed
Good First Issue
 labels 2024-07-07 16:00:50 +02:00
awiteb commented 2024-07-07 16:01:48 +02:00
Author
Owner
Copy link

@Amjad50, what do you think is better, using limit and period_secs from the ratelimit section in the config file, or creating a new configuration for the websocket rate limit?

@Amjad50, what do you think is better, using `limit` and `period_secs` from the `ratelimit` section in the config file, or creating a new configuration for the websocket rate limit?
Amjad50 commented 2024-07-07 16:47:21 +02:00
Member
Copy link

it seems fine to use the same config file, since its the server config. why would you want to use a new file specifically for rate limiting?

Also, if this is per connection, maybe its better to include this in the name, like connection_ratelimit.

it seems fine to use the same config file, since its the server config. why would you want to use a new file specifically for rate limiting? Also, if this is per connection, maybe its better to include this in the name, like `connection_ratelimit`.
Amjad50 commented 2024-07-07 16:51:28 +02:00
Member
Copy link

Another thing I thought about, would it be interesting idea to also add limit to number of connections? I know ws is light and we can handle many, but just to fend against half open connections attacks

Another thing I thought about, would it be interesting idea to also add limit to number of connections? I know ws is light and we can handle many, but just to fend against half open connections attacks
awiteb commented 2024-07-07 16:52:55 +02:00
Author
Owner
Copy link

why would you want to use a new file specifically for rate limiting?

Not new file, new configuration, like you say connection_ratelimit under ratelimit section.

So the new configurations will be

  • connection_limit under ratelimit section
  • connection_period_secs under ratelimit section
> why would you want to use a new file specifically for rate limiting? Not new file, new configuration, like you say `connection_ratelimit` under `ratelimit` section. So the new configurations will be - `connection_limit` under `ratelimit` section - `connection_period_secs` under `ratelimit` section
awiteb commented 2024-07-07 16:54:11 +02:00
Author
Owner
Copy link

Another thing I thought about, would it be interesting idea to also add limit to number of connections? I know ws is light and we can handle many, but just to fend against half open connections attacks

There is an issue for this: #11

> Another thing I thought about, would it be interesting idea to also add limit to number of connections? I know ws is light and we can handle many, but just to fend against half open connections attacks There is an issue for this: https://git.4rs.nl/OxideTalis/oxidetalis/issues/11
🚀 1
Amjad50 commented 2024-07-07 16:56:55 +02:00
Member
Copy link

So the new configurations will be

  • connection_limit under ratelimit section
  • connection_period_secs under ratelimit section

The current configuration is

[ratelimit]
enable = true
limit = 1500
period_secs = 60

So it would be like this?

[ratelimit]
enable = true
connection_limit = 1500
connection_period_secs = 60

or keep the old fields and add these new ones?

> So the new configurations will be > > - `connection_limit` under `ratelimit` section > - `connection_period_secs` under `ratelimit` section > The current configuration is ```toml [ratelimit] enable = true limit = 1500 period_secs = 60 ``` So it would be like this? ```toml [ratelimit] enable = true connection_limit = 1500 connection_period_secs = 60 ``` or keep the old fields and add these new ones?
awiteb commented 2024-07-07 17:01:31 +02:00
Author
Owner
Copy link

So it would be like this?

[ratelimit]
enable = true
connection_limit = 1500
connection_period_secs = 60

No, it will be:

[ratelimit]
enable = true
# For http requests
limit = 1500
period_secs = 60
# For websocket messages
connection_limit = 1500
connection_period_secs = 60
> So it would be like this? > ```toml > [ratelimit] > enable = true > connection_limit = 1500 > connection_period_secs = 60 > ``` No, it will be: ```toml [ratelimit] enable = true # For http requests limit = 1500 period_secs = 60 # For websocket messages connection_limit = 1500 connection_period_secs = 60 ```
Amjad50 commented 2024-07-07 17:04:34 +02:00
Member
Copy link

ah, sorry got confused
then, I think we can put them separate, and we can even use the same structure to make it clear which is websocket and which is http, the name connection isn't clear, something like this

[ratelimit.http]
limit = 1500
period_secs = 60

[ratelimit.websocket]
limit = 1500
period_secs = 60
ah, sorry got confused then, I think we can put them separate, and we can even use the same structure to make it clear which is websocket and which is http, the name `connection` isn't clear, something like this ``` [ratelimit.http] limit = 1500 period_secs = 60 [ratelimit.websocket] limit = 1500 period_secs = 60 ```
🚀 1
awiteb commented 2024-07-07 17:07:13 +02:00
Author
Owner
Copy link

and we can even use the same structure to make it clear which is websocket and which is http

I like this, agreed

> and we can even use the same structure to make it clear which is websocket and which is http I like this, agreed
awiteb added
Reviewed
Accepted
 and removed
Reviewed
Confirmed
 labels 2024-07-16 15:42:58 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
  
Good First Issue

Good for newcomers

  
Help wanted

Request for help from the contributors

  
Kind/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Bug Fix

Pull request that fix a bug

  
Kind/CI-CD

Something related to the CI/CD

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Question

Question related to the project

  
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Reviewed
Accepted
Feature Request or Proposal was accepted by maintainers and will be implemented

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Declined
Feature Request or Proposal was declined by maintainers

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Approved
The PR is approved by reviewers and is ready to be merged

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Inactive
Inactive and waiting on the author. This is often applied to closed PRs

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

  
Status
Waiting On Author
This is awaiting some action (such as code changes or more information) from the author

  
Status
Waiting On Review
Awaiting review from the assignee

No labels
Good First Issue
Help wanted
Kind/Breaking
Kind/Bug
Kind/Bug Fix
Kind/CI-CD
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Question
Kind/Security
Kind/Testing
Reviewed
Accepted
Reviewed
Confirmed
Reviewed
Declined
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Approved
Status
Blocked
Status
Inactive
Status
Need More Info
Status
Waiting On Author
Status
Waiting On Review
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: OxideTalis/oxidetalis#12
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?