Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rate-limiting with exponential blacklisting #26

Open
7 tasks
loongy opened this issue Apr 7, 2020 · 1 comment
Open
7 tasks

Rate-limiting with exponential blacklisting #26

loongy opened this issue Apr 7, 2020 · 1 comment
Labels
enhancement New feature or request
Milestone

Comments

@loongy
Copy link
Contributor

loongy commented Apr 7, 2020

Currently, rate-limiting in aw is required to be implemented at the application-level. It assumes that the application has the best information about per-message rate limits, and to him to apply them. While this remains true, it is still worth implementing a basic rate-limiter.

The rate-limit should be implemented using a standard rate-per-second with temporary burst. If the rate-limit is violated, then the offending IP address is blacklisted. This drops the existing connection, and refuses connections from this IP address until the end of blacklist timeout. If the IP address attempts connections during this blacklisted period, then the period is extended by the back-off factor (multiplying the current time left by the back-off factor).

  • Add an option to the peer for per-protocol rate limiting (see Negotiate aw and protocol versions during the handshake #25)
  • Add an option for the blacklist timeout (default: 30 seconds)
  • Add an option for the blacklist timeout back-off (default: 1.6)
  • Violation of the rate-limit drops the connection and blacklists the IP address

Recent offenders should be stored in-memory, but also saved on-disk in the case of an unexpected reboot. Assuming all IP addresses are 128 bits, an in-memory limit of 1MB would allow for 65,536 offenders before the server begins to drop attackers. In the case that this limit is reached, the least recent offender will be dropped from the list (implying that the offender is forgiven).

  • Store offenders in-memory (default: 65,536 addresses)
  • Save offenders on-disk and load them at boot
  • Forgive least recent offenders when in-memory limit is reched
@loongy loongy changed the title Rate-limiting with eventual blacklisting Rate-limiting with exponential blacklisting Apr 7, 2020
@loongy loongy added this to the v0.4.0 milestone Apr 7, 2020
@loongy loongy added the enhancement New feature or request label Apr 7, 2020
@loongy
Copy link
Contributor Author

loongy commented Jul 20, 2020

Consider using Linux iptables to blacklist IP addresses that continue to exceed the rate-limit. Example: https://linux-audit.com/blocking-ip-addresses-in-linux-with-iptables

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant