Question

如何阻止某人单纯地做

while(true){client.emit('i am spammer', true)};

如果有人要求我的节点服务器崩溃，这肯定会成为一个问题！

enter image description here

Answer 1

喜欢tsrurzl说你需要实现一个rate limiter（限制套接字）。

以下代码示例仅在套接字返回Buffer（而不是字符串）时才能可靠地工作。代码示例假定您将首先调用addRatingEntry（），然后立即调用evalRating（）。否则，在evalRating（）根本没有被调用或为时太晚的情况下，你冒着内存泄漏的风险。

var rating, limit, interval;

rating = []; // rating: [*{'timestamp', 'size'}]
limit = 1048576; // limit: maximum number of bytes/characters.
interval = 1000; // interval: interval in milliseconds.
// Describes a rate limit of 1mb/s

function addRatingEntry (size) {
    // Returns entry object.
    return rating[(rating.push({
        'timestamp': Date.now(),
        'size': size
    }) - 1);
}

function evalRating () {
// Removes outdated entries, computes combined size, and compares with limit variable.
// Returns true if you're connection is NOT flooding, returns false if you need to disconnect.
    var i, newRating, totalSize;
    // totalSize in bytes in case of underlying Buffer value, in number of characters for strings. Actual byte size in case of strings might be variable => not reliable.
    newRating = [];
    for (i = rating.length - 1; i >= 0; i -= 1) {
        if ((Date.now() - rating[i].timestamp) < interval) {
            newRating.push(rating[i]);
        }
    }
    rating = newRating;

    totalSize = 0;
    for (i = newRating.length - 1; i >= 0; i -= 1) {
        totalSize += newRating[i].timestamp;
    }

    return (totalSize > limit ? false : true);
}

// Assume connection variable already exists and has a readable stream interface
connection.on('data', function (chunk) {
    addRatingEntry(chunk.length);
    if (evalRating()) {
         // Continue processing chunk.
    } else {
         // Disconnect due to flooding.
    }
});

您可以添加额外的检查，例如检查size参数是否真的是一个数字等。

附录：确保每个连接都包含（在一个闭包中）的rating，limit和interval变量，并且它们没有定义全局速率（每个连接操作相同的评级）

Answer 2

我实现了一个小洪泛功能，并不完美（参见下面的改进），但是当他做了很多请求时，它会断开用户的连接。

// Not more then 100 request in 10 seconds
let FLOOD_TIME = 10000;
let FLOOD_MAX = 100;

let flood = {
    floods: {},
    lastFloodClear: new Date(),
    protect: (io, socket) => {

        // Reset flood protection
        if( Math.abs( new Date() - flood.lastFloodClear) > FLOOD_TIME ){
            flood.floods = {};
            flood.lastFloodClear = new Date();
        }

        flood.floods[socket.id] == undefined ? flood.floods[socket.id] = {} : flood.floods[socket.id];
        flood.floods[socket.id].count == undefined ? flood.floods[socket.id].count = 0 : flood.floods[socket.id].count;
        flood.floods[socket.id].count++;

        //Disconnect the socket if he went over FLOOD_MAX in FLOOD_TIME
        if( flood.floods[socket.id].count > FLOOD_MAX){
            console.log('FLOODPROTECTION ', socket.id)
            io.sockets.connected[socket.id].disconnect();
            return false;
        }

        return true;
    }
}

exports = module.exports = flood;

然后像这样使用它：

let flood = require('../modules/flood')

// ... init socket io...

socket.on('message', function () {
    if(flood.protect(io, socket)){
        //do stuff
    }   
});

改进将是，在计数旁边添加另一个值，他多久经常断开连接然后创建一个禁止列表并且不再让他连接。此外，当用户刷新页面时，他获得一个新的socket.id所以也许在这里使用一个唯一的cookie值而不是socket.id

Answer 3

这里是一个简单的rate-limiter-flexible包示例。

const app = require('http').createServer();
const io = require('socket.io')(app);
const { RateLimiterMemory } = require('rate-limiter-flexible');

app.listen(3000);

const rateLimiter = new RateLimiterMemory(
  {
    points: 5, // 5 points
    duration: 1, // per second
  });

io.on('connection', (socket) => {
  socket.on('bcast', async (data) => {
    try {
      await rateLimiter.consume(socket.handshake.address); // consume 1 point per event from IP
      socket.emit('news', { 'data': data });
      socket.broadcast.emit('news', { 'data': data });
    } catch(rejRes) {
      // no available points to consume
      // emit error or warning message
      socket.emit('blocked', { 'retry-ms': rejRes.msBeforeNext });
    }
  });
});

在official docs中阅读更多内容

节点socket.io，什么防止洪水？

3 个答案: