Upstream
/
Plan
mirror of https://github.com/plan-player-analytics/Plan.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Rate limit against simple DDoS 

Affects issues:
- Close #1846
- Close #3486
This commit is contained in:
Aurora Lahtela 2024-02-28 10:02:26 +02:00
parent b50fa10e12
commit ab94ab9125
5 changed files with 114 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/RateLimitGuard.java Normal file
View File

@ -0,0 +1,84 @@
/*
* This file is part of Player Analytics (Plan).
*
* Plan is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License v3 as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Plan is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Plan. If not, see <https://www.gnu.org/licenses/>.
*/
package com.djrapitops.plan.delivery.webserver;
import com.djrapitops.plan.utilities.dev.Untrusted;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
/**
* Simple guard against DDoS attacks to single endpoint.
* <p>
* This only protects against a DDoS that doesn't follow redirects.
*
* @author AuroraLS3
*/
public class RateLimitGuard {
private static final int ATTEMPT_LIMIT = 30;
private final Cache<String, Integer> requests = Caffeine.newBuilder()
.expireAfterWrite(120, TimeUnit.SECONDS)
.build();
private final Cache<String, String> lastRequestPath = Caffeine.newBuilder()
.expireAfterWrite(120, TimeUnit.SECONDS)
.build();
public boolean shouldPreventRequest(@Untrusted String accessor) {
Integer attempts = requests.getIfPresent(accessor);
if (attempts == null) return false;
// Too many attempts, forbid further attempts.
return attempts >= ATTEMPT_LIMIT;
}
public void increaseAttemptCount(@Untrusted String requestPath, @Untrusted String accessor) {
String previous = lastRequestPath.getIfPresent(accessor);
if (!Objects.equals(previous, requestPath)) {
resetAttemptCount(accessor);
}
Integer attempts = requests.getIfPresent(accessor);
if (attempts == null) {
attempts = 0;
}
lastRequestPath.put(accessor, requestPath);
requests.put(accessor, attempts + 1);
}
public void resetAttemptCount(@Untrusted String accessor) {
// previous request changed
requests.cleanUp();
requests.invalidate(accessor);
}
public static class Disabled extends RateLimitGuard {
@Override
public boolean shouldPreventRequest(String accessor) {
return false;
}
@Override
public void increaseAttemptCount(String requestPath, String accessor) { /* Disabled */ }
@Override
public void resetAttemptCount(String accessor) { /* Disabled */ }
}
}

8
Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/ResponseFactory.java
View File

@ -475,6 +475,14 @@ public class ResponseFactory {
.build(); .build();
} }
public Response failedRateLimit403() {
return Response.builder()
.setMimeType(MimeType.HTML)
.setContent("<h1>403 Forbidden</h1><p>You are being rate-limited.</p>")
.setStatus(403)
.build();
}
public Response ipWhitelist403(@Untrusted String accessor) { public Response ipWhitelist403(@Untrusted String accessor) {
return Response.builder() return Response.builder()
.setMimeType(MimeType.HTML) .setMimeType(MimeType.HTML)

2
Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/http/InternalRequest.java
View File

@ -81,4 +81,6 @@ public interface InternalRequest {
} }
return authenticationExtractor.extractAuthentication(this); return authenticationExtractor.extractAuthentication(this);
} }
String getRequestedPath();
} }

5
Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/http/JettyInternalRequest.java
View File

@ -129,6 +129,11 @@ public class JettyInternalRequest implements InternalRequest {
return baseRequest.getRequestURI(); return baseRequest.getRequestURI();
} }
@Override
public String getRequestedPath() {
return baseRequest.getHttpURI().getDecodedPath();
}
@Override @Override
public String toString() { public String toString() {
return "JettyInternalRequest{" + return "JettyInternalRequest{" +

21
Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/http/RequestHandler.java
View File

@ -19,6 +19,7 @@ package com.djrapitops.plan.delivery.webserver.http;
import com.djrapitops.plan.delivery.web.resolver.Response; import com.djrapitops.plan.delivery.web.resolver.Response;
import com.djrapitops.plan.delivery.web.resolver.request.Request; import com.djrapitops.plan.delivery.web.resolver.request.Request;
import com.djrapitops.plan.delivery.webserver.PassBruteForceGuard; import com.djrapitops.plan.delivery.webserver.PassBruteForceGuard;
import com.djrapitops.plan.delivery.webserver.RateLimitGuard;
import com.djrapitops.plan.delivery.webserver.ResponseFactory; import com.djrapitops.plan.delivery.webserver.ResponseFactory;
import com.djrapitops.plan.delivery.webserver.ResponseResolver; import com.djrapitops.plan.delivery.webserver.ResponseResolver;
import com.djrapitops.plan.delivery.webserver.auth.FailReason; import com.djrapitops.plan.delivery.webserver.auth.FailReason;
@ -40,13 +41,15 @@ public class RequestHandler {
private final ResponseResolver responseResolver; private final ResponseResolver responseResolver;
private final PassBruteForceGuard bruteForceGuard; private final PassBruteForceGuard bruteForceGuard;
private final RateLimitGuard rateLimitGuard;
private final AccessLogger accessLogger; private final AccessLogger accessLogger;
@Inject @Inject
public RequestHandler(WebserverConfiguration webserverConfiguration, ResponseFactory responseFactory, ResponseResolver responseResolver, AccessLogger accessLogger) { public RequestHandler(WebserverConfiguration webserverConfiguration, ResponseFactory responseFactory, ResponseResolver responseResolver, RateLimitGuard rateLimitGuard, AccessLogger accessLogger) {
this.webserverConfiguration = webserverConfiguration; this.webserverConfiguration = webserverConfiguration;
this.responseFactory = responseFactory; this.responseFactory = responseFactory;
this.responseResolver = responseResolver; this.responseResolver = responseResolver;
this.rateLimitGuard = rateLimitGuard;
this.accessLogger = accessLogger; this.accessLogger = accessLogger;
bruteForceGuard = new PassBruteForceGuard(); bruteForceGuard = new PassBruteForceGuard();
@ -64,11 +67,17 @@ public class RequestHandler {
.warnAboutWhitelistBlock(accessAddress, internalRequest.getRequestedURIString()); .warnAboutWhitelistBlock(accessAddress, internalRequest.getRequestedURIString());
response = responseFactory.ipWhitelist403(accessAddress); response = responseFactory.ipWhitelist403(accessAddress);
} else { } else {
try { String requestedPath = internalRequest.getRequestedPath();
request = internalRequest.toRequest(); rateLimitGuard.increaseAttemptCount(requestedPath, accessAddress);
response = attemptToResolve(request, accessAddress); if (rateLimitGuard.shouldPreventRequest(accessAddress)) {
} catch (WebUserAuthException thrownByAuthentication) { response = responseFactory.failedRateLimit403();
response = processFailedAuthentication(internalRequest, accessAddress, thrownByAuthentication); } else {
try {
request = internalRequest.toRequest();
response = attemptToResolve(request, accessAddress);
} catch (WebUserAuthException thrownByAuthentication) {
response = processFailedAuthentication(internalRequest, accessAddress, thrownByAuthentication);
}
} }
} }