NetTalk Central

Author Topic: A defensive Server  (Read 4016 times)

Poul

  • Full Member
  • ***
  • Posts: 160
    • View Profile
A defensive Server
« on: January 13, 2009, 01:24:48 PM »
I am looking for ideas on making my Nettalk servers a bit more defensive.

I'd like to monitor requests, such that  i can detect when too many requests from the same IP within a certain timeperiod occurs.

In my testing I can create scenarios where my browsers will loop forever making the same requests, (usually because i have restarted the server)  or other programming issues like the SQL timeout issues where the connection may be set to retry forever. I am also thinking of detecting  primitive hacking, denial of service type attacks.

So i can detect accidental and intentional resource waste.

I'd like to put some kind  of govenor on the same request being repeated within a certain timeframe from any IP.

Then I'd like to either terminate the connection or Block the connection, send it a special page, perhaps even make the client pay a penalty with a timeout/blacklist if i believe its a black hat ...

make sense?,  any ideas.
Currently because I use the logging template, i could put something in based on the addlog method, to detect, but am wondering is there a better way?

broche

  • Sr. Member
  • ****
  • Posts: 336
    • View Profile
    • Email
Re: A defensive Server
« Reply #1 on: February 09, 2015, 04:03:54 PM »
Sounds great - I am being attacked right now (I think) the same IP hitting the login page over and over again.  I managed to block one of the IP's in Windows but for some reason can't block the other.  These are VM's running under XenCenter.
Brian

kevin plummer

  • Hero Member
  • *****
  • Posts: 1195
    • View Profile
    • Production Accounting and Software Payroll
Re: A defensive Server
« Reply #2 on: February 09, 2015, 05:18:22 PM »
Hi Brian,

you could probably create an IPblacklist text file, load that into a global Q and check if it exists before serving a page in the process link embed. Maybe Bruce will have a better suggestion that is more efficient?

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11251
    • View Profile
Re: A defensive Server
« Reply #3 on: February 09, 2015, 08:26:43 PM »
Incoming connections are passed through the .Process method in the web server.
So if you wanted to you could add code here to terminate connections you don't like.

Something like; (before the parent call);

aborted  Long


  self._Wait()
  case self.Packet.PacketType
  ! --------------------------
  of NET:SimpleNewConnection
    if self.packet.FromIP = 'something'
      self.AbortServerConnection(self.packet.OnSocket, self.packet.SockID)
      aborted = true
    end
  end
  self._release()
  if aborted = false
    parent.Process()
  end


How you track your list of banned IP addresses is up to you I guess, but a gobal queue sounds do'able.
Bear in mind that this code will run for every single incoming request, so try and keep it as simple as possible.

Also bear in mind that a legitimate client might make a lot of requests, so be careful not to throw the baby out with the bathwater.

cheers
Bruce