Limit the payload and requests

The amount of requests per hour as well as the data send to the server need to be restricted.

Background

Each request requires to be dealt with by the server by accessing its data and calculating a response. Especially the amount of data that is received in the requests can have an impact on the performance of the server by costing resources and time.

Problems

• Attackers can send thousands of requests in a short time causing the server to be occupied
• Attacker can send immense amounts of data to the server causing more and more processes to process illegitimate data
• These processes are blocked from servicing legitimate users (Denial of Service)

Solutions

• Proxies should evaluate data size of incoming requests and block them incase they exceed a certain amount
• JSON data should be evaluated based on its string length
• The amount of bytes the data requires is a good indication

Technology

Express

In Express, one can use the https://www.npmjs.com/package/limiter (opens new window) or body-parser (opens new window) library. The former library allows the definition of a RateLimiter implementing the Token Bucket Algorithm (opens new window). Through this, an amount of tokens for a time interval can be defined which cannot be exceeded. However, attackers can still perform distributed DoS attacks using multiple clients instead of only one which would be restricted after using up its tokens. The latter library limits the amount of data that can be carried by the request by default to 100 kilobytes.

Spring Boot

In Spring Boot, the usage of the Spring Cloud Gate way is possible. It also implements a rate limiter through the Token Bucket Algorithm. No data size limiter was found.