Comments (13)
(Doing this accurately depends on #16)
from channelserver.
@jrconlin do you have any ideas in mind for how to apply rate-limiting for this service? Would you try to do it internally (maybe storing data into a shared redis instance?) or by talking to an external rate-limiting service?
from channelserver.
that introduces more coupling between this service and the rest of the FxA stack.
If the customs server were viewed along the lines of similar to 'iprepd', it's a dependency, but maybe one that's worthwhile.
from channelserver.
sigh. if secops ever does build a abuse tracking and mitigation system, I really hope they name it Godot.
@rfk No, I have no ideas or preferences for what sort of mitigation system we put in place. I suppose we should probably define what "abusive" behavior is. We've already got a few things in place for that, but I also wonder if in this time of bot farms and IPv6 addresses, if tracking per origin IP is reasonable?
FWIW, i'd kinda/sorta prefer a centralized abuse management system to keep us from re-inventing wheels, as well as preempt larger attacks.
from channelserver.
i'd kinda/sorta prefer a centralized abuse management system to keep us from re-inventing wheels,
as well as preempt larger attacks.
Me too! secops recently released their "iprepd" service for checking IP reputation, which isn't rate-limiting but is a step in that direction.
from channelserver.
We could integrate with the existing fxa-customs-server
Actually, this is not that easy in practice. We currently run fxa-customs-server as a "sidecar" service on the fxa-auth-server webheads, meaning that it's only available over localhost and not exposed to the broader network.
We could make a public-facing instance, but would need to figure out the security story for API calls, maybe using server-to-server secret keys.
I'm going to take this to the mailing list in order to loop others in on the discussion.
from channelserver.
We could make a public-facing instance, but would need to figure out the security story for API calls, maybe using server-to-server secret keys.
It could also be available only behind a VPN so not any goon could try to DDOS the service, even so server-to-server shared keys seems a responsible additional measure.
from channelserver.
This wasn't actually fixed in #31 in the end, re-opening.
from channelserver.
I thought that we agreed that we would use an outside system in order to restrict IP access? Doesn't that remove the need (or even the ability) for our server to do any sort of IP control?
from channelserver.
IIUC, we may still need to (1) parse and interpret a header provided by the security infrastructure, possibly rejecting requests as a result, and (2) log specific events about app-level misbehaviour to be interpreted by this infrastructure. I'll update the bug title accordingly.
from channelserver.
+1
Although I wonder if we should close this bug (and all the now invalid comments) and just start a new issue that talks about just doing that stuff.
from channelserver.
Sure, that makes sense; please file one as you see fit :-)
from channelserver.
Closing in favor of #34
from channelserver.
Related Issues (20)
- Convert ChannelIds to base64url HOT 2
- Automatically filter private networks from remote IP lookup HOT 2
- Production domain HOT 3
- Remove extraneous RefCells
- Refactor WS/Handlers to use DefaultHeader middleware
- Add info to /__version__ endpoint
- Seeing "No X-Forwarded-For found for proxied connection" while running locally HOT 2
- Production channel timeout is at 30 seconds HOT 1
- CODE_OF_CONDUCT.md file missing HOT 1
- Run cargo-audit in CI
- chore: Dependency Update for 10/2019 HOT 5
- chore: fix up pytest HOT 1
- Strings being shown in German HOT 17
- Statsd metrics don't appear to work
- Remove travis-ci
- Address sec advisories causing build failures
- Travis CI free usage ends Dec 3; mozilla repos should switch to other CI platforms HOT 1
- Add location test database
- Docker error due to glibc version mismatch HOT 3
- Ability to reconnect websocket when it gets closed HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from channelserver.