Attack/DOS protection for Play2

[Simon Effing]

I'm looking for protection against DOS attacks, a simple rate limiting filter would already quite helpful.

Or maybe something with this kind of functionality:
https://www.kickstarter.com/backing-and-hacking/rack-attack-protection-from-abusive-clients ?

thanks

simon

[Andrew Gaydenko]

I guess this functionality is more appropriate for front end server or even for firewall (or any other software at the operating system level).

[Simon Effing]

right, there are some solutions based on e.g. nginx, but sometimes you just don't have this option. Also a play filter would allow hooking in application specific rules.

[Dan Di Spaltro]

The canonical use-case is rate-limiting api calls per user, which is generally pretty hard to do without knowing context.  I've typically done that in a "middleware" using other frameworks.  I'd be interested too.

[Husrev Ozayman]

I agree. When the zombies requests hits your application server, it's probably too late for you to defend your application. Even if you won't process them, they will probably saturate your servers bandwidth, disabling your server to respond real users. You probably want to use something like Cloudflare or Incapsula.

On Tue, Jun 10, 2014 at 1:48 PM, Andrew Gaydenko <andrew....@gmail.com> wrote:

I guess this functionality is more appropriate for front end server or even for firewall (or any other software at the operating system level).

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Will Sargent]

There isn’t a rate limiting filter for Play that I know of.  However, you can use a proxy like Repose to do rate limiting for you.

https://repose.atlassian.net/wiki/display/REPOSE/Rate+Limiting+Filter

Disclaimer: my brother is the product manager for Repose.

Will Sargent

Consultant, Professional Services

Typesafe, the company behind Play Framework, Akka and Scala

--

[James Roper]

Rate limiting doesn't provide protection against real DoS attacks, it only provides protection against legitimate users who are abusing your service, eg users trying to scrape all the data out of your site, they're doing the wrong thing but it's not their intention to bring your site down, so it's not really a DoS attack.  While Play could provide some abstractions here, these abstractions would be no simpler than implementing an ordinary filter, which would make them more complex since any time you introduce an abstraction, you make things harder to debug and reason about.  So, if you want per remote IP address rate limiting, a simple filter like this will work:

object MyRateLimiterFilter extends EssentialFilter {

  def apply(action: EssentialAction) = EssentialAction { rh =>

    val exceeded = RateLimiter.registerRequest(rh.remoteAddress)

    if (exceeded) Done(Results.Status(429))

    else next(rh)

  }

}

Of course, you might find that if you have 100 people in one company behind a NAT firewall, they start getting blocked.  Same with many mobile users on one mobile network.  So this usually won't work, instead you need to check if they are authenticated, and that's when it becomes very domain specific and when abstractions get in your way.

Also note, Play is nowhere near as susceptible to DoS attacks as traditional HTTP servers, since it does not consume a thread per request - for traditional HTTP servers which use a thread per request model, you can very easily DoS them by making 300 requests but trickle feeding/trickling reading the request/response bodies.  If the server is only configured to use 300 threads, the server stops responding.  But a Play server will happily accept hundreds of thousands of such requests, and still be just as responsive.

As others have said, if you really are up against an attack (and not just legitimate users abusing your service), if the requests are getting through to Play in the first place, then you're probably screwed on network bandwidth for a start, real DDoS attacks can only be dealt with with specialised software (and often hardware).

--

James Roper
Software Engineer

Typesafe – Build reactive apps!
Twitter: @jroper

[Ryan Tanner]

I recently investigated this myself.  Given that DDoS attacks can easily consist of 10-400 Gbps, you have to keep the requests from ever hitting your Play instance in the first place.

I looked into some DIY options such as setting up a cluster of Nginix servers to hide our Play instance but in the end it was easier and cheaper to just pay Cloudflare and be done with it.

[Simon]

Maybe my initial post was a bit misleading, it probably doesn't make sense to deal with real DDOS attacks from within play. 

But there still might be the need to have application specific rate limiting. (In my app certain requests trigger heavy background processes)

For global rate limiting I came up with something similar to what James suggested. 

I've also been thinking about something like an action wrapper to rate limit/fail2ban by action related criteria, but maybe this is getting way too application specific.

Here is another link to the Rack solution I mentioned in my first post:

https://github.com/kickstarter/rack-attack/blob/master/README.md

[Simon]

if anybody is interested: I started a little project on github https://github.com/sief/play-guard

issues and pull requests welcome :)