From f76cc6036ebf446553ee5201321879538dafe3b2 Mon Sep 17 00:00:00 2001 From: teravus Date: Mon, 7 Oct 2013 21:35:55 -0500 Subject: * Added a Basic DOS protection container/base object for the most common HTTP Server handlers. XMLRPC Handler, GenericHttpHandler and StreamHandler * Applied the XmlRpcBasicDOSProtector.cs to the login service as both an example, and good practice. * Applied the BaseStreamHandlerBasicDOSProtector.cs to the friends service as an example of the DOS Protector on StreamHandlers * Added CircularBuffer, used for CPU and Memory friendly rate monitoring. * DosProtector has 2 states, 1. Just Check for blocked users and check general velocity, 2. Track velocity per user, It only jumps to 2 if it's getting a lot of requests, and state 1 is about as resource friendly as if it wasn't even there. --- bin/Robust.ini.example | 19 +++++++++++++++++++ bin/config-include/StandaloneCommon.ini.example | 19 ++++++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) (limited to 'bin') diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example index de6fc28..74c208d 100644 --- a/bin/Robust.ini.example +++ b/bin/Robust.ini.example @@ -356,6 +356,25 @@ MapGetServiceConnector = "8002/OpenSim.Server.Handlers.dll:MapGetServiceConnecto ;; 'America/Los_Angeles' is used on Linux/Mac systems whilst 'Pacific Standard Time' is used on Windows DSTZone = "America/Los_Angeles;Pacific Standard Time" + ;Basic Login Service Dos Protection Tweaks + ;; + ;; Some Grids/Users use a transparent proxy that makes use of the X-Forwarded-For HTTP Header, If you do, set this to true + ;; If you set this to true and you don't have a transparent proxy, it may allow attackers to put random things in the X-Forwarded-For header to + ;; get around this basic DOS protection. + ;DOSAllowXForwardedForHeader = false + ;; + ;; The protector adds up requests during this rolling period of time, default 10 seconds + ;DOSRequestTimeFrameMS = 10000 + ;; + ;; The amount of requests in the above timeframe from the same endpoint that triggers protection + ;DOSMaxRequestsInTimeFrame = 5 + ;; + ;; The amount of time that a specific endpoint is blocked. Default 2 minutes. + ;DOSForgiveClientAfterMS = 120000 + ;; + ;; To turn off basic dos protection, set the DOSMaxRequestsInTimeFrame to 0. + + [MapImageService] LocalServiceModule = "OpenSim.Services.MapImageService.dll:MapImageService" ; Set this if you want to change the default diff --git a/bin/config-include/StandaloneCommon.ini.example b/bin/config-include/StandaloneCommon.ini.example index 12c5b95..75fd956 100644 --- a/bin/config-include/StandaloneCommon.ini.example +++ b/bin/config-include/StandaloneCommon.ini.example @@ -117,7 +117,7 @@ SRV_AssetServerURI = "http://127.0.0.1:9000" SRV_ProfileServerURI = "http://127.0.0.1:9000" SRV_FriendsServerURI = "http://127.0.0.1:9000" - SRV_IMServerURI = "http://127.0.0.1:9000" + SRV_IMServerURI = "http://127.0.0.1:9000 ;; For Viewer 2 MapTileURL = "http://127.0.0.1:9000/" @@ -150,6 +150,23 @@ ;AllowedClients = "" ;DeniedClients = "" + ; Basic Login Service Dos Protection Tweaks + ; ; + ; ; Some Grids/Users use a transparent proxy that makes use of the X-Forwarded-For HTTP Header, If you do, set this to true + ; ; If you set this to true and you don't have a transparent proxy, it may allow attackers to put random things in the X-Forwarded-For header to + ; ; get around this basic DOS protection. + ; DOSAllowXForwardedForHeader = false + ; ; + ; ; The protector adds up requests during this rolling period of time, default 10 seconds + ; DOSRequestTimeFrameMS = 10000 + ; ; + ; ; The amount of requests in the above timeframe from the same endpoint that triggers protection + ; DOSMaxRequestsInTimeFrame = 5 + ; ; + ; ; The amount of time that a specific endpoint is blocked. Default 2 minutes. + ; DOSForgiveClientAfterMS = 120000 + ; ; + ; ; To turn off basic dos protection, set the DOSMaxRequestsInTimeFrame to 0. [FreeswitchService] ;; If FreeSWITCH is not being used then you don't need to set any of these parameters -- cgit v1.1