Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Q/discussion] DDOS possibility #143

Open
Aivean opened this issue Jan 15, 2023 · 6 comments
Open

[Q/discussion] DDOS possibility #143

Aivean opened this issue Jan 15, 2023 · 6 comments

Comments

@Aivean
Copy link

Aivean commented Jan 15, 2023

Hi!

We're trying to adopt pictshare for our (relatively) small blog: https://github.com/spaceshelter

And I'm a bit concerned about the absence of constraints on the resize filters, especially for the video. Currently it seems fairly easy to DDOS the server by hosting large mp4 and requesting all possible sizes for it.

Am I missing something? Let's brainstorm the best way to address that.

@geek-at
Copy link
Member

geek-at commented Jan 16, 2023

Good topic! On the old pictshare before the rewrite I had two more configuration settings. One was for max resizes per image and one was a resize code that hat do be present in the URL for the resize to be successful.

I didn't implement them in the new version because it was hardly ever used and even the public instance on pictshare.net never had any real problems with ddos but I do share your concern.

I'm not sure if the "max resize" setting is enough because that could potentially limit yourself too because it would be a server wide rule and not just for cpu intensive things.

What do you think would be a good solution for the problem?

@Aivean
Copy link
Author

Aivean commented Jan 16, 2023

The first thing that comes to mind is a rate limiter of some kind.

A very basic rate limiter (max N requests per period) that doesn't require a DB or shared memory can be implemented via the append-only log of timestamps: for each stored videofile have a log of the timestamps of the resize attempts. When a new resize attempt is made, check the timestamp of the Nth last record in the log, if it's earlier than period, allow the resize, otherwise deny it.

An IP-based rate limiter for all heavy operations would be ideal, but it would be tricky to implement in a performant way without the shared memory.

As a simplest band-aid solution, a config that entirely disallows video (or any) resizes could also work for some security-sensitive applications.

@geek-at
Copy link
Member

geek-at commented Jan 17, 2023

Yes a setting for disabling resizes of videos will be coming, that makes sense for server admins.

I was also thinking about making a queue (probably with redis) that only resizes one video at a time so even though the queue can become big, it will never crash or ddos the server

@Aivean
Copy link
Author

Aivean commented Jan 17, 2023

Queue is a good idea, however one concern is that malicious agent would be able to saturate the queue and delay/prevent legitimate resizes.

@geek-at
Copy link
Member

geek-at commented Jan 17, 2023

good point! maybe per video a queue limit of 3 or so per hour per IP? but a distrubuted attack would render that useless

@Aivean
Copy link
Author

Aivean commented Jan 17, 2023

Well, there are two somewhat separate issues:

  1. service DOS (load from resizing interfering with the serving or other server functions).
    Can be addressed by putting constraints on the resize work.
  2. resizing DOS (i.e. malicious party denying resizing to other users).

Ideally, these would be addressed separately, e.g.:

  • resizing load could be limited by the isolated, resource-bounded workers with the constraints on parallelism
  • DOS can be mitigated by having IP-based and global rate-limiters, and/or using cloud-based DDoS protection in front of pictshare instance

With the current API (resizing happens anonymously on demand) I'm not sure if ideal solution is feasible. For example, if both uploading and resizing were tied to some sort of account (e.g. by an auth token), it would be possible to just add the restrictions per account.

But for the current design, the safest solution (which only really addresses the first problem) would be a global resize rate limit, together with the queue to flatten the peak load.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants