Rack Attack: Protection from abusive clients (opens in new tab)

(kickstarter.com)

92 pointsktheory13y ago27 comments

27 comments

25 comments · 6 top-level

noonespecial13y ago· 7 in thread

Nice. I was really hoping it protected me from a very different kind of "abusive client" though. I guess there are somethings that even in ruby you can't do easily.

jgj13y ago

My wallet nearly hit me in the face such was its velocity upon breach of my pocket.

tcdent13y ago

Yeah, double confusing. After realizing it wasn't that kind of client it still took me a bit to realize it wasn't a fundraiser, either.

Samuel_Michon13y ago

That, dear sir, was a beautifully crafted sentence. I had to reread it a couple of times to find out what the hell it meant.

arkitaip13y ago

Sounds like you need protection from your own wallet!

sbarre13y ago

Haha I also saw the kickstarter.com domain and thought: "tell me more about this!" probably thinking the same as you..

toomuchtodo13y ago

Imagine my dismay when I clicked through and read, "Oh, a web request client".

hobs13y ago

I was about to donate a toe.

fduran13y ago· 5 in thread

iptables can limit the number of connections per ip in a "cheap" (fast/early) way. In fact is my #1 use of iptables since blocking ports where there are no services doesn't do much.

SeoxyS13y ago

A much more common use of iptables for me is to limit outside traffic to port 21, 80, and 447, while letting whitelisted internal hosts use every other ports, for other services used internally. We can then run those services without authentication, and have much less exposure in case of an attack (the only thing whose security we must trust is iptables, ssh, our HTTP web server.)

count13y ago

Why would you run them without authentication? One mistake in your iptables shouldn't instantly compromise your operation...

Best practice is 'defense in depth', not 'we'll just lock down the perimeter'.

ktheoryOP13y ago

Yeah, iptables works great for that.

I also like nginx's limit_zone module. You can put limit_zone in the proxy stanza, and only throttle dynamic requests without throttling access to fast static files.

We often use Rack::Attack to throttle particular HTTP paths differently. Say, the homepage isn't throttled, but the login action is. That layer 7 knowledge is Rack::Attack's main advantage.

As I say in the README, Rack::Attack is complementary to iptables and the limit_zone module.

pyre13y ago

  | blocking ports where there are no services doesn't
  | do much

True, but it can be a useful 'just in-case' against things listening on ports that you were unaware of. It's obviously bad for you not to know about services that are listening on your box, but you could view it as a safety net.

fduran13y ago

Agree, I also block all unused incoming ports as a safety net as you say.

1 more reply

michaelbuckbee13y ago· 4 in thread

Maybe I'm missing something, but this seem like something that would only be useful in situations where you don't have access to anything "closer" to the network requests (router, firewall, webserver) that you can tweak to handle these types of things.

So it's something that's good for Heroku apps?

samstokes13y ago

It allows whitelisting... based on arbitrary properties of the request.

So if your user authentication code was also a Rack middleware, and you inserted Rack::Attack after it in the middleware stack, you could rate limit based on user account as well as IP address. That would be harder to do at the firewall or web server level.

This isn't for preventing DOS attacks (for which you'd want to completely avoid hitting application code), it's just for preventing unauthorised or excessive usage.

sc00ter13y ago

Think of it as defense-in-depth. This allows higher-level, but more sophisticated rules, while your lower layers provide simpler but lower overhead filtering. Hopefully abusive requests never reach this thanks to your router / firewall / web server rules, but if they do, this will help keep things in check.

toomuchtodo13y ago

Most times your firewall and router aren't doing layer 7/application level inspection/actioning. If Rack::Attack can handle it efficiently, its the easy way to go.

daniloassis13y ago

Probably.

It's a good way when you don't have privilege access to the server OR skills to do it manually on Nginx etc.

umsm13y ago· 2 in thread

This seems like a vulnerability in their implementation: "configure your proxy to set the X-Forwarded-For header with the source IP"

rrouse13y ago

That's pretty common practice so you don't get the IP of the machine your web server is on passed to the app instead of the user's ip.

mh-13y ago

if you're behind a reverse proxy (or load balancer, etc.) one should normally have [firewall] rules to ensure that only these proxy hosts can even connect to your httpd.

you also can configure your edge proxies to ignore X-Forwarded-For, or at least move it to another untrusted header if you want to preserve its contents.

there's an nginx module (has to be compiled in) that lets you whitelist hosts which can send X-Forwarded-For, and turns that into the actual remote address provided to your upstreams.

http://wiki.nginx.org/HttpRealipModule | http://nginx.org/en/docs/http/ngx_http_realip_module.html

gingerlime13y ago· 1 in thread

I used fail2ban to block abusive ips (based on string matching of specific errors in our logs). This seems like an interesting alternative though to keep things under one roof.

scott_karana13y ago

As some of the others said, I see this as complementary, since you can deal with logic on Layer 7 with ease.

jwilliams13y ago

My first question is how this works when you have more than one server.

It's not mentioned in the article, but this implementation uses the standard Rails Cache:

https://github.com/kickstarter/rack-attack/blob/master/lib/r...

There are particular hooks in there for Redis. So if you've got "n" servers, it seems the preferred approach is to use a central Redis store.

j / k navigate · click thread line to collapse

27 comments

25 comments · 6 top-level

noonespecial13y ago· 7 in thread

Nice. I was really hoping it protected me from a very different kind of "abusive client" though. I guess there are somethings that even in ruby you can't do easily.

jgj13y ago

My wallet nearly hit me in the face such was its velocity upon breach of my pocket.

tcdent13y ago

Yeah, double confusing. After realizing it wasn't that kind of client it still took me a bit to realize it wasn't a fundraiser, either.

Samuel_Michon13y ago

That, dear sir, was a beautifully crafted sentence. I had to reread it a couple of times to find out what the hell it meant.

arkitaip13y ago

Sounds like you need protection from your own wallet!

sbarre13y ago

Haha I also saw the kickstarter.com domain and thought: "tell me more about this!" probably thinking the same as you..

toomuchtodo13y ago

Imagine my dismay when I clicked through and read, "Oh, a web request client".

hobs13y ago

I was about to donate a toe.

fduran13y ago· 5 in thread

iptables can limit the number of connections per ip in a "cheap" (fast/early) way. In fact is my #1 use of iptables since blocking ports where there are no services doesn't do much.

SeoxyS13y ago

count13y ago

Why would you run them without authentication? One mistake in your iptables shouldn't instantly compromise your operation...

Best practice is 'defense in depth', not 'we'll just lock down the perimeter'.

ktheoryOP13y ago

Yeah, iptables works great for that.

I also like nginx's limit_zone module. You can put limit_zone in the proxy stanza, and only throttle dynamic requests without throttling access to fast static files.

We often use Rack::Attack to throttle particular HTTP paths differently. Say, the homepage isn't throttled, but the login action is. That layer 7 knowledge is Rack::Attack's main advantage.

As I say in the README, Rack::Attack is complementary to iptables and the limit_zone module.

pyre13y ago

  | blocking ports where there are no services doesn't
  | do much

fduran13y ago

Agree, I also block all unused incoming ports as a safety net as you say.

1 more reply

michaelbuckbee13y ago· 4 in thread

So it's something that's good for Heroku apps?

samstokes13y ago

It allows whitelisting... based on arbitrary properties of the request.

This isn't for preventing DOS attacks (for which you'd want to completely avoid hitting application code), it's just for preventing unauthorised or excessive usage.

sc00ter13y ago

toomuchtodo13y ago

Most times your firewall and router aren't doing layer 7/application level inspection/actioning. If Rack::Attack can handle it efficiently, its the easy way to go.

daniloassis13y ago

Probably.

It's a good way when you don't have privilege access to the server OR skills to do it manually on Nginx etc.

umsm13y ago· 2 in thread

This seems like a vulnerability in their implementation: "configure your proxy to set the X-Forwarded-For header with the source IP"

rrouse13y ago

That's pretty common practice so you don't get the IP of the machine your web server is on passed to the app instead of the user's ip.

mh-13y ago

if you're behind a reverse proxy (or load balancer, etc.) one should normally have [firewall] rules to ensure that only these proxy hosts can even connect to your httpd.

you also can configure your edge proxies to ignore X-Forwarded-For, or at least move it to another untrusted header if you want to preserve its contents.

there's an nginx module (has to be compiled in) that lets you whitelist hosts which can send X-Forwarded-For, and turns that into the actual remote address provided to your upstreams.

http://wiki.nginx.org/HttpRealipModule | http://nginx.org/en/docs/http/ngx_http_realip_module.html

gingerlime13y ago· 1 in thread

I used fail2ban to block abusive ips (based on string matching of specific errors in our logs). This seems like an interesting alternative though to keep things under one roof.

scott_karana13y ago

As some of the others said, I see this as complementary, since you can deal with logic on Layer 7 with ease.

jwilliams13y ago

My first question is how this works when you have more than one server.

It's not mentioned in the article, but this implementation uses the standard Rails Cache:

https://github.com/kickstarter/rack-attack/blob/master/lib/r...

There are particular hooks in there for Redis. So if you've got "n" servers, it seems the preferred approach is to use a central Redis store.

j / k navigate · click thread line to collapse