From f76cc6036ebf446553ee5201321879538dafe3b2 Mon Sep 17 00:00:00 2001 From: teravus Date: Mon, 7 Oct 2013 21:35:55 -0500 Subject: * Added a Basic DOS protection container/base object for the most common HTTP Server handlers. XMLRPC Handler, GenericHttpHandler and StreamHandler * Applied the XmlRpcBasicDOSProtector.cs to the login service as both an example, and good practice. * Applied the BaseStreamHandlerBasicDOSProtector.cs to the friends service as an example of the DOS Protector on StreamHandlers * Added CircularBuffer, used for CPU and Memory friendly rate monitoring. * DosProtector has 2 states, 1. Just Check for blocked users and check general velocity, 2. Track velocity per user, It only jumps to 2 if it's getting a lot of requests, and state 1 is about as resource friendly as if it wasn't even there. --- bin/config-include/StandaloneCommon.ini.example | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'bin/config-include') diff --git a/bin/config-include/StandaloneCommon.ini.example b/bin/config-include/StandaloneCommon.ini.example index 12c5b95..75fd956 100644 --- a/bin/config-include/StandaloneCommon.ini.example +++ b/bin/config-include/StandaloneCommon.ini.example @@ -117,7 +117,7 @@ SRV_AssetServerURI = "http://127.0.0.1:9000" SRV_ProfileServerURI = "http://127.0.0.1:9000" SRV_FriendsServerURI = "http://127.0.0.1:9000" - SRV_IMServerURI = "http://127.0.0.1:9000" + SRV_IMServerURI = "http://127.0.0.1:9000 ;; For Viewer 2 MapTileURL = "http://127.0.0.1:9000/" @@ -150,6 +150,23 @@ ;AllowedClients = "" ;DeniedClients = "" + ; Basic Login Service Dos Protection Tweaks + ; ; + ; ; Some Grids/Users use a transparent proxy that makes use of the X-Forwarded-For HTTP Header, If you do, set this to true + ; ; If you set this to true and you don't have a transparent proxy, it may allow attackers to put random things in the X-Forwarded-For header to + ; ; get around this basic DOS protection. + ; DOSAllowXForwardedForHeader = false + ; ; + ; ; The protector adds up requests during this rolling period of time, default 10 seconds + ; DOSRequestTimeFrameMS = 10000 + ; ; + ; ; The amount of requests in the above timeframe from the same endpoint that triggers protection + ; DOSMaxRequestsInTimeFrame = 5 + ; ; + ; ; The amount of time that a specific endpoint is blocked. Default 2 minutes. + ; DOSForgiveClientAfterMS = 120000 + ; ; + ; ; To turn off basic dos protection, set the DOSMaxRequestsInTimeFrame to 0. [FreeswitchService] ;; If FreeSWITCH is not being used then you don't need to set any of these parameters -- cgit v1.1