Rate limit against simple DDoS

Affects issues:
- Close #1846
- Close #3486
This commit is contained in:
Aurora Lahtela 2024-02-28 10:02:26 +02:00
parent b50fa10e12
commit ab94ab9125
5 changed files with 114 additions and 6 deletions

View File

@ -0,0 +1,84 @@
/*
* This file is part of Player Analytics (Plan).
*
* Plan is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License v3 as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Plan is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Plan. If not, see <https://www.gnu.org/licenses/>.
*/
package com.djrapitops.plan.delivery.webserver;
import com.djrapitops.plan.utilities.dev.Untrusted;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
/**
* Simple guard against DDoS attacks to single endpoint.
* <p>
* This only protects against a DDoS that doesn't follow redirects.
*
* @author AuroraLS3
*/
public class RateLimitGuard {
private static final int ATTEMPT_LIMIT = 30;
private final Cache<String, Integer> requests = Caffeine.newBuilder()
.expireAfterWrite(120, TimeUnit.SECONDS)
.build();
private final Cache<String, String> lastRequestPath = Caffeine.newBuilder()
.expireAfterWrite(120, TimeUnit.SECONDS)
.build();
public boolean shouldPreventRequest(@Untrusted String accessor) {
Integer attempts = requests.getIfPresent(accessor);
if (attempts == null) return false;
// Too many attempts, forbid further attempts.
return attempts >= ATTEMPT_LIMIT;
}
public void increaseAttemptCount(@Untrusted String requestPath, @Untrusted String accessor) {
String previous = lastRequestPath.getIfPresent(accessor);
if (!Objects.equals(previous, requestPath)) {
resetAttemptCount(accessor);
}
Integer attempts = requests.getIfPresent(accessor);
if (attempts == null) {
attempts = 0;
}
lastRequestPath.put(accessor, requestPath);
requests.put(accessor, attempts + 1);
}
public void resetAttemptCount(@Untrusted String accessor) {
// previous request changed
requests.cleanUp();
requests.invalidate(accessor);
}
public static class Disabled extends RateLimitGuard {
@Override
public boolean shouldPreventRequest(String accessor) {
return false;
}
@Override
public void increaseAttemptCount(String requestPath, String accessor) { /* Disabled */ }
@Override
public void resetAttemptCount(String accessor) { /* Disabled */ }
}
}

View File

@ -475,6 +475,14 @@ public class ResponseFactory {
.build();
}
public Response failedRateLimit403() {
return Response.builder()
.setMimeType(MimeType.HTML)
.setContent("<h1>403 Forbidden</h1><p>You are being rate-limited.</p>")
.setStatus(403)
.build();
}
public Response ipWhitelist403(@Untrusted String accessor) {
return Response.builder()
.setMimeType(MimeType.HTML)

View File

@ -81,4 +81,6 @@ public interface InternalRequest {
}
return authenticationExtractor.extractAuthentication(this);
}
String getRequestedPath();
}

View File

@ -129,6 +129,11 @@ public class JettyInternalRequest implements InternalRequest {
return baseRequest.getRequestURI();
}
@Override
public String getRequestedPath() {
return baseRequest.getHttpURI().getDecodedPath();
}
@Override
public String toString() {
return "JettyInternalRequest{" +

View File

@ -19,6 +19,7 @@ package com.djrapitops.plan.delivery.webserver.http;
import com.djrapitops.plan.delivery.web.resolver.Response;
import com.djrapitops.plan.delivery.web.resolver.request.Request;
import com.djrapitops.plan.delivery.webserver.PassBruteForceGuard;
import com.djrapitops.plan.delivery.webserver.RateLimitGuard;
import com.djrapitops.plan.delivery.webserver.ResponseFactory;
import com.djrapitops.plan.delivery.webserver.ResponseResolver;
import com.djrapitops.plan.delivery.webserver.auth.FailReason;
@ -40,13 +41,15 @@ public class RequestHandler {
private final ResponseResolver responseResolver;
private final PassBruteForceGuard bruteForceGuard;
private final RateLimitGuard rateLimitGuard;
private final AccessLogger accessLogger;
@Inject
public RequestHandler(WebserverConfiguration webserverConfiguration, ResponseFactory responseFactory, ResponseResolver responseResolver, AccessLogger accessLogger) {
public RequestHandler(WebserverConfiguration webserverConfiguration, ResponseFactory responseFactory, ResponseResolver responseResolver, RateLimitGuard rateLimitGuard, AccessLogger accessLogger) {
this.webserverConfiguration = webserverConfiguration;
this.responseFactory = responseFactory;
this.responseResolver = responseResolver;
this.rateLimitGuard = rateLimitGuard;
this.accessLogger = accessLogger;
bruteForceGuard = new PassBruteForceGuard();
@ -64,11 +67,17 @@ public class RequestHandler {
.warnAboutWhitelistBlock(accessAddress, internalRequest.getRequestedURIString());
response = responseFactory.ipWhitelist403(accessAddress);
} else {
try {
request = internalRequest.toRequest();
response = attemptToResolve(request, accessAddress);
} catch (WebUserAuthException thrownByAuthentication) {
response = processFailedAuthentication(internalRequest, accessAddress, thrownByAuthentication);
String requestedPath = internalRequest.getRequestedPath();
rateLimitGuard.increaseAttemptCount(requestedPath, accessAddress);
if (rateLimitGuard.shouldPreventRequest(accessAddress)) {
response = responseFactory.failedRateLimit403();
} else {
try {
request = internalRequest.toRequest();
response = attemptToResolve(request, accessAddress);
} catch (WebUserAuthException thrownByAuthentication) {
response = processFailedAuthentication(internalRequest, accessAddress, thrownByAuthentication);
}
}
}