DoS Attacks about autolabjs HOT 6 CLOSED

Two specific DoS attacks are of immediate importance. They are:

1. repeated evaluation of a code commit.
   We can rate limit the submissions to 'r' evaluation request per every 'm' minutes.

2. evaluation requests from outside the lab
   We can control this by allowing evaluation requests from machines having IP addresses in a subnet. For example, machines in CC Zone-I would have IP addresses in the range of 10.11.1.xx; similarly, IP addresses would have common prefix for Zones-II and III. We need to be able to specify multiple IP subnet prefixes from which we can accept submissions.

The code for all DoS submissions can be put into a DoS component that sits in front of the web application. Only acceptable requests are passed onto the web application.

from autolabjs.

An immediate redressal for DoS attacks would be to simply log all the HTTP requests with their client IP addresses. Morgan seems like a pretty good one.

from autolabjs.

We are using socket.io for taking all submission requests - HTTP won't be of much help. Here's how I think we can address both issues:

1. Keep a track of student id used for submission and restrict it to 'r' submissions every 'm' minutes using a database. This would prevent the attack made from different machines under a single user id from keeping the load balancer/execution nodes busy.
2. socket.io gives the ip of the connection - using this with the database we can restrict submissions from a range of IP's and restrict the number of submissions made from any IP.

from autolabjs.

Since we already have the client IP address, the following order of checking would be sufficient.

if(client IP in range) {
    if(request rate limit not exceeded) {
        evaluate
    } else {
         give rate limit message
    }
} else {
    give request denied message
}

Using DB for DoS logs may not be wise. When the DoS is in progress, DB slows down which would effect the rest of the application. Hence, it would be better to push out the DoS information into dedicated logs.

from autolabjs.

This is best implemented using Kong gateway.

from autolabjs.

The issue logged to feature requests page. This is not a priority now. Closing the issue.

from autolabjs.