RPC call rate limiter extension for the default Valve Permission plugin.
Defense against DoS attacks on the network level is always better than on the application level, but WebSocket protection costs a lot, so this plugin can be useful.
A WebSocket attack is easy to do, any user can run this code in the browser's console:
while (true) {
deepstream.rpc.make('comment.create', {}, (err, res) => {});
}A deepstream server might handle this load (1-2 million req/s) but the RPC providers certainly won't, especially if RPCs do Database operations.
With this plugin you can prevent server crash if you limit every user to 100 RPC/min, but 100 new comment every minute is still too much.
To prevent spamming you can set higher costs for the comment.create RPC, and limit it to 1-2 call/min.
- Clone this into your deepstream server's /lib directory.
- Customize ./lib/permission-ratelimiter/config/config.js
- inside ./lib/permission-ratelimiter
$ npm i
$ tscpermission:
path: './permission-ratelimiter/dist/limiter.js'
options:
permissions: fileLoad(permissions.yml)
maxRuleIterations: 3
cacheEvacuationInterval: 60000- Set the total limit and configure the frequency.
- Add your project's RPC names into the LIMITS object.
// The duration of one round, after each round the limits are cleared
exports.FREQUENCY = 60000; // 1 min
// The total points a user can use in one round
exports.LIMIT = 300;
// different RPCs has different point costs
// { 'rpc-name': points }
exports.LIMITS = {
'default': 1,
'vote': 20,
'comment.create': 120,
'subcomment.create': 120,
'post.create': 120
}