How does web.maxRequestsPerSec work exactly?

Luiz Kill2 years ago

Hi folks!

How exactly does the web.maxRequestsPerSec config work? Does it control the number of requests per second for each client IP? Does it work only for requests coming to the HTTP port? Does it protect the device protocol ports too?

Thanks!

Luiz Kill2 years ago

I've been thinking about DoS on the protocol ports. Is quite easy to protect the API using something like Cloudflare. But how could I protect the device ports also?

Thanks!

Anton Tananaev2 years ago

It's only for the API, not for protocols.

Luiz Kill2 years ago

Do you think it makes sense to protect device ports somehow?

Anton Tananaev2 years ago

There are already some protections. Most frame decoders have buffer size limits. Device identification has throttling.

Luiz Kill2 years ago

Very cool! I'll take a look into the code to understand this better.

Thanks!

Luiz Kill2 years ago

Anton,

if someone abuse a device port and the buffer gets full, doesn't it mean that positions of legit users will be lost? I'm thinking about running a haproxy in tcp mode to respond for the decice ports and control the traffic per IP. What do you think?

Anton Tananaev2 years ago

If you're thinking about DDoS, that has to be handled outside of the server. Is this a real problem?

Luiz Kill2 years ago

Not really, I'm just thinking about options... Thanks anynway!