Rolisteam/DiceParser

DDOS attacks

VividLemon opened this issue · 1 comments

While experimenting, I found that you could use a high sided die -- such as rolling a 10,000 sided die. While also experimenting I found you could use the explode mechanic to have it reroll on one... Combining the two, the server is at the mercy of hoping for a 1 on a 10,000 sided die to terminate the loop. This could run the server into a psuedo-infinite loop where it hopes to hit a 1 in order to terminate. With evildoers in mind, one could have a repeating script that reruns the command multiple times. For reference, I combined a 100 sided die, with explode on 1 and caused the bot to roll around 10,000 times. I haven't looked in depth in the code to see if there's a maximum allowed times it's allowed to rerun, there may be one already, but I fear trying anything higher. If there is no maximum allowed loop rerun values, I suggest adding one.

How are you experimenting DiceParser commands ?
When you say server, which server do you mean ?

On discord, there is a limit of 30 sec on running. If the command is longer than that to compute, diceparser is killed.
DiceParser marks as error commands which lead to a endless loop (such as: !1d10e[>0]) (at least it tried to do so but some weird case can probably still hurt it)
When the command has a chance to occur, it is not marked as error.
But DiceParser binary is dedicated to be used as command line tool, if you run an almost endless command, the only hurt person is you. (And ctrl+C should fix the issue).

Any tool which use DiceParser has to manage this kind of issue.

Not my problem!