Up to Main Index                           Up to Journal for January, 2022

                     JOURNAL FOR MONDAY 3RD JANUARY, 2022
______________________________________________________________________________

SUBJECT: Limiting per IP connection rates (IP address quotas)
   DATE: Mon  3 Jan 20:12:19 GMT 2022

The fist post for a new year. Welcome to 2022 everyone :)

I’ve never been keen on connection quotas being in WolfMUD. I think it’s the
wrong place for them. I feel a proper firewall should be used instead and it
would do a better job. However, I also realise people want a simple solution
they can deploy.

I’ve had a couple of requests to add connection quotas back in, as I’ve been
adding other admin functionality. I’ve also been asked to make them easier to
configure and understand :P

As a result I’ve been working on reimplementing quotas. The new implementation
is more performant, uses less storage and tracks more than four connections
per IP address. This time quotas are more understandable and easier to use, I
hope. However, the server configuration file has had to change. Configuration
for the old quota implementation looked like this:


  Quota.Window:  0s
  Quota.Timeout: 0s
  Quota.Stats:   0s


Configuration for the new quotas is now:


  Quota.Slots:  0
  Quota.Window: 0s


Quotas are now configured to restrict connection attempts from an IP address
to X slots/connections within a given time window. For example:


  Quota.Slots:  10
  Quota.Window: 5s


This would limit connections from an IP address to 10 connections within a 5
second window. If more than 10 connection attempts are made within 5 seconds
then the eleventh and subsequent attempts would result in the connection being
dropped by the server with the message:


  Too many connection attempts, please wait before trying again.


The client then needs to wait at least 5 seconds before connecting. If the
client is persistent and continues trying to connect before 5 seconds has
elapsed they then need to wait for 5 seconds from the last attempt made.

With the current implementation Quota.Slots can be a value from 0 to 63[1].
This allows for up to 63 connections per IP Address in a given Quota.Window
period. The fastest rate limiting is currently 63 connection attempts per
second[2] per IP address.

It should be made clear that quotas only limit the connection rate of clients
and not the total number of connections that an IP address can have. Quotas
give you some protection against DOS style attacks. You can still have many
connections from a single IP address.

If you don’t want to use quotas then setting Quotas.Slots or Quotas.Window to
zero will disable quotas. This is the default.

Changes are now out on the public dev branch so that interested parties can
get a feel for the new quotas and provide any feedback before the changes make
it into a beta snapshot.

--
Diddymus

  [1] This is due to the implementation using a uint64 as a bit field to track
      connections and allows for 63 bits + 1 extra working bit.

  [2] This is due to how record jar periods are rounded to the nearest second.
      Changes to allow smaller periods would allow, for example, 50 connection
      attempts in a 100 millisecond period. The quota code can already handle
      time windows smaller than 1 second.


  Up to Main Index                           Up to Journal for January, 2022