Improvement of stability of SmartFox2X against DDOS attacks

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

QiXi
Posts: 8
Joined: 06 Feb 2013, 16:46
Location: Russia
Contact:

Improvement of stability of SmartFox2X against DDOS attacks

Postby QiXi » 07 Feb 2023, 11:24

Dear Lapo,
I use your wonderful decision SmartFoxServer2X in my mobile applications for many years, but lately Ive been worried by DDOS attacks, which can block server in a few minutes.
Examining the behavior of those who attack I have two improving proposals.
1. The first thing that Ive noticed. There are situations or conditions in which sessions of attackers are not finished in case of data packet uploading.
When Ive tried to send data to server port using command
netcat localhost 9933 <ddos.jpg

Ive noticed that session is created, but not completed (size<0 bytes)
Exception: java.lang.IllegalArgumentException
[SocketReader] sessions.DefaultSessionManager - Session created: ...
Message: Illegal request size: -654319616 bytes
>>session life XX seconds

At the same time if the package length is more than 0, a session is completed (size>0 bytes)
[SocketReader] sessions.DefaultSessionManager - Session created: ...
[SocketReader] sessions.DefaultSessionManager - Session removed: ...
Exception: java.lang.IllegalArgumentException
Message: Incoming request size too large: 1144193792, Current limit: 500000

My proposal is that in case of request size<0 the Session should be also removed. By adding a line of code the server will start protect itself.

2. An additional API from SmartFoxServer is necessary for me. Ive developed a minimum solution for detection of attacking IP. Ive been quided by transmitted traffic volume to server, dropped incoming packets, IpGeoLocator, I can distinguish session of attackers from the session of standard user.
It would be very good and useful to have access to the events of SmartFoxServer.
Option to subscribe to
++droppedIncomingPackets //Event.
//These events are useful.
.addEventListener("sessionAdded", eventHandler); //Session created
.addEventListener("sessionLost", eventHandler); //Session removed

Without these event listeners I have to scan with interval timing.
It would be appreciated to have such possibilities, that SmartFox2X could protect itself without third-party solutions.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Improvement of stability of SmartFox2X against DDOS attacks

Postby Lapo » 08 Feb 2023, 09:14

Hi,
I need to premise my reply with a quick consideration: if you're dealing with a DDoS there is no amount of server-side countermeasures that will block or prevent the attack. A Denial of Service attack is aimed at exhausting the machine's resources and software alone won't help much.
The solution to this sorts of attacks is to have one or more front-facing machines dealing with the incoming traffic, filtering out the "spam" and letting the legitimate connections/requests through.
Here's an interesting article on this --> https://phoenixnap.com/blog/prevent-ddos-attacks

WIth this said, as regards "negative size" requests that you have mentioned (i.e. packet size < 0): in reality there is no such thing as negative packet size, as you can imagine. A data packet can contain zero or more bytes only. The reason why the error message reports a negative value (such as -654319616 bytes) is just because we're using a signed 32-bit integer to handle the data size.
This means that only 31 bits are used for the actual numeric value and the last bit (bit 32) keep track of the sign. In other words a negative value is still actually a positive value that is bigger than 2^31.

In any case if the server receives garbage data at connection time it will discard it and eventually shut down the connection within the "Session Idle Timer" value, which by default is 20 seconds. You can lower that value via configuration if you want to get rid of garbage connections even quicker. ( I would recommend to keep it around 10sec at a minimum, in order not to penalize legit clients )

Without these event listeners I have to scan with interval timing.

The "session lost" event already exists in the form of SFSEvent.USER_DISCONNECT
As regards the "session connection" event you can use SFSEvent.USER_LOGIN.

Also I am not sure how a "session connection" event would help?

Thanks
Lapo
--
gotoAndPlay()
...addicted to flash games
User avatar
mete2221
Posts: 53
Joined: 30 Aug 2017, 17:01

Re: Improvement of stability of SmartFox2X against DDOS attacks

Postby mete2221 » 13 Feb 2023, 13:38

QiXi wrote:Dear Lapo,
I use your wonderful decision SmartFoxServer2X in my mobile applications for many years, but lately Ive been worried by DDOS attacks, which can block server in a few minutes.
Examining the behavior of those who attack I have two improving proposals.
1. The first thing that Ive noticed. There are situations or conditions in which sessions of attackers are not finished in case of data packet uploading.
When Ive tried to send data to server port using command
netcat localhost 9933 <ddos.jpg

Ive noticed that session is created, but not completed (size<0 bytes)
Exception: java.lang.IllegalArgumentException
[SocketReader] sessions.DefaultSessionManager - Session created: ...
Message: Illegal request size: -654319616 bytes
>>session life XX seconds

At the same time if the package length is more than 0, a session is completed (size>0 bytes)
[SocketReader] sessions.DefaultSessionManager - Session created: ...
[SocketReader] sessions.DefaultSessionManager - Session removed: ...
Exception: java.lang.IllegalArgumentException
Message: Incoming request size too large: 1144193792, Current limit: 500000

My proposal is that in case of request size<0 the Session should be also removed. By adding a line of code the server will start protect itself.

2. An additional API from SmartFoxServer is necessary for me. Ive developed a minimum solution for detection of attacking IP. Ive been quided by transmitted traffic volume to server, dropped incoming packets, IpGeoLocator, I can distinguish session of attackers from the session of standard user.
It would be very good and useful to have access to the events of SmartFoxServer.
Option to subscribe to
++droppedIncomingPackets //Event.
//These events are useful.
.addEventListener("sessionAdded", eventHandler); //Session created
.addEventListener("sessionLost", eventHandler); //Session removed

Without these event listeners I have to scan with interval timing.
It would be appreciated to have such possibilities, that SmartFox2X could protect itself without third-party solutions.

The solution is to use a cloud firewall service like cloudflare.
Cloudflare is the best solution if the platform you are using supports connection to smartfox via websocket.

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 48 guests