-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add a more aggressive rate limit for spammy users #226
base: master
Are you sure you want to change the base?
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #226 +/- ##
==========================================
+ Coverage 49.50% 49.97% +0.47%
==========================================
Files 33 33
Lines 2117 2135 +18
Branches 195 199 +4
==========================================
+ Hits 1048 1067 +19
Misses 1063 1063
+ Partials 6 5 -1 ☔ View full report in Codecov by Sentry. |
I have tried it and looks the case
broken for me. After a short investigation, I see that the second rate limit you have added somehow overrides |
What do you mean by override? It resets the time? |
The second, more aggressive rate limit will take precedence in case it is triggered. First rate limit will work as usual, until there is 15 errored requests in a 15 seconds window, in which case, the user is locked completely until the 15 second window closes (every requests return 429, success or not) |
you can try it by yourself. With the current code, the first middleware doesn't work. |
ok, for me the regular( |
@wa0x6e ^^^ |
Just tested, and confirming that the latest define rateLimit's Will see why |
Fixed, seems like a known bug from rate-limit itself express-rate-limit/rate-limit-redis#171 |
I can't test. Could you @ChaituVR test take it? |
Will do, thank you |
🧿 Current issues / What's wrong ?
From https://github.com/orgs/snapshot-labs/projects/12/views/7?pane=issue&itemId=43069387
Current rate limit is pretty generous, with 100 requests every minute. This is fine for legitimate users, but some bad actors are abusing that limit by trying to send multiple requests within that limit, but with all requests failing, as they're trying to brute force something.
Thus, some users are sending 100 bad requests per minutes, for hours straight.
This traffic is of low quality, and is from bot. Example: a bot trying to vote on all proposals. This kind of requests will always fail with various errors, such as "proposal closed", or "no voting power".
💊 Fixes / Solution
We should decrease the rpm for users sending a high number of failed requests.
The
express-rate-limit
middleware is already providing the logic for that, and can be used by just tweaking its config.This can also serve as a protection when the service is returning a high number of errors due to internal service issues (pineapple, score-api, etc ...)
🚧 Changes
express-rate-limit
to latest version, as current version has a bug when using multiple instance of rateLimit.Limit is still pretty generous, and will be further be adjusted depending on how well it works.
🛠️ Tests