add rate limiting

Author: colbster937

README.md

@@ -11,7 +11,7 @@ Eaglercraft relay server implementation written in TypeScript
 - [x] Origin whitelist
 - [x] Join code customization
 - [x] STUN / TURN server support
-- [ ] ~~Rate limiting~~
+- [x] Rate limiting
 
 ## Usage:
 

package-lock.json

@@ -1,11 +1,12 @@
 {
   "name": "eaglerrelayjs",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Eaglercraft relay server implementation in typescript",
   "repository": "github:WebMCDevelopment/EaglerRelayJS",
   "type": "module",
   "main": "dist/index.js",
   "scripts": {
+    "start": "tsx src/index.ts",
     "build": "tsc && tsc-esm-fix dist",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix"

package.json

@@ -14,11 +14,12 @@ export class EaglerSPClient {
   private static readonly CLIENT_CODE_LENGTH = 16;
   private static readonly CLIENT_CODE_CHARS = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';
 
-  public SOCKET: WebSocket;
-  public SERVER: EaglerSPServer;
-  public ID: string;
-  public ADDRESS: string;
-  public CREATED: number;
+  public readonly SOCKET: WebSocket;
+  public readonly SERVER: EaglerSPServer;
+  public readonly ID: string;
+  public readonly ADDRESS: string;
+  public readonly CREATED: number;
+
   public STATE: LoginState;
   public SERVER_NOTIFIED_OF_CLOSE: boolean;
 

src/server/EaglerSPClient.ts

@@ -3,16 +3,18 @@ import { RelayConfig } from '../utils/RelayConfig';
 import { IncomingMessage } from 'http';
 import { Socket } from 'net';
 import { RelayLogger } from '../utils/RelayLogger';
-import { RelayPacket } from '../pkt/RelayPacket';
-import { RelayPacket00Handshake } from '../pkt/RelayPacket00Handshake';
-import { RelayPacketFFErrorCode } from '../pkt/RelayPacketFFErrorCode';
 import { EaglerSPClient } from './EaglerSPClient';
 import { EaglerSPServer } from './EaglerSPServer';
+import { RelayPacket } from '../pkt/RelayPacket';
 import { RelayPacket01ICEServers } from '../pkt/RelayPacket01ICEServers';
+import { RelayPacket00Handshake } from '../pkt/RelayPacket00Handshake';
+import { LocalWorld, RelayPacket07LocalWorlds } from '../pkt/RelayPacket07LocalWorlds';
 import { RelayPacket69Pong } from '../pkt/RelayPacket69Pong';
+import { RelayPacketFEDisconnectClient } from '../pkt/RelayPacketFEDisconnectClient';
+import { RelayPacketFFErrorCode } from '../pkt/RelayPacketFFErrorCode';
 import { RelayVersion } from '../utils/RelayVersion';
-import { LocalWorld, RelayPacket07LocalWorlds } from '../pkt/RelayPacket07LocalWorlds';
 import { SocketAddress } from '../utils/SocketAddress';
+import { RateLimit, RateLimiter } from './RateLimiter';
 import '../pkt/RegisterPackets';
 
 export class EaglerSPRelay {
@@ -24,13 +26,22 @@ export class EaglerSPRelay {
   private readonly SERVER_CONNECTIONS: Map<WebSocket, EaglerSPServer>;
   private readonly SERVER_ADDRESS_SETS: Map<string, EaglerSPServer[]>;
 
+  private readonly WORLD_RATE_LIMITER: RateLimiter | undefined;
+  private readonly PING_RATE_LIMITER: RateLimiter | undefined;
+
   public constructor ();
   public constructor (config: object);
   public constructor (config?: object) {
     this.WSS = new WebSocketServer({ noServer: true });
     if (config !== undefined) RelayConfig.loadConfigJSON(config);
     else RelayConfig.loadConfigFile('config.json');
     RelayLogger.debug('Debug logging enabled');
+    if (RelayConfig.get('limits.world_ratelimit.enabled')) this.WORLD_RATE_LIMITER = new RateLimiter(Number(RelayConfig.get('limits.world_ratelimit.period')) * 1000, Number(RelayConfig.get('limits.world_ratelimit.limit')), Number(RelayConfig.get('limits.world_ratelimit.lockout_limit')), Number(RelayConfig.get('limits.world_ratelimit.lockout_time')) * 1000);
+    if (RelayConfig.get('limits.ping_ratelimit.enabled')) this.PING_RATE_LIMITER = new RateLimiter(Number(RelayConfig.get('limits.ping_ratelimit.period')) * 1000, Number(RelayConfig.get('limits.ping_ratelimit.limit')), Number(RelayConfig.get('limits.ping_ratelimit.lockout_limit')), Number(RelayConfig.get('limits.ping_ratelimit.lockout_time')) * 1000);
+    setInterval(() => {
+      this.WORLD_RATE_LIMITER?.update();
+      this.PING_RATE_LIMITER?.update();
+    }, 30000);
     this.CLIENT_IDS = new Map();
     this.SERVER_CODES = new Map();
     this.PENDING_CONNECTIONS = new Map();
@@ -65,6 +76,14 @@ export class EaglerSPRelay {
                 let id: string | undefined;
                 let srv: EaglerSPServer | undefined;
                 if (ipkt.CONNECTION_TYPE === 1) {
+                  if (!this.rateLimit(this.WORLD_RATE_LIMITER, ws, waiting.ADDRESS)) return;
+                  let arr: EaglerSPServer[] | undefined = this.SERVER_ADDRESS_SETS.get(waiting.ADDRESS);
+                  if (arr !== undefined && arr.length >= Number(RelayConfig.get('limits.worlds_per_ip'))) {
+                    RelayLogger.debug('[{}]: Too many worlds are open on this address', waiting.ADDRESS);
+                    ws.send(RelayPacketFEDisconnectClient.RATELIMIT_PACKET_TOO_MANY);
+                    ws.close();
+                    return;
+                  }
                   RelayLogger.debug('[{}]: Connected as a server', waiting.ADDRESS);
                   let i: number = 0;
                   while (true) {
@@ -91,7 +110,7 @@ export class EaglerSPRelay {
                   RelayLogger.debug('[{}] [Relay -> Server]: PKT 0x00: Assign join code: {}', waiting.ADDRESS, id);
                   this.SERVER_CONNECTIONS.set(ws, srv);
                   this.PENDING_CONNECTIONS.delete(ws);
-                  let arr: EaglerSPServer[] | undefined = this.SERVER_ADDRESS_SETS.get(srv.SERVER_ADDRESS);
+                  arr = this.SERVER_ADDRESS_SETS.get(srv.SERVER_ADDRESS);
                   if (arr == undefined) {
                     arr = [];
                     this.SERVER_ADDRESS_SETS.set(srv.SERVER_ADDRESS, arr);
@@ -100,6 +119,7 @@ export class EaglerSPRelay {
                   (srv).send(new RelayPacket01ICEServers(RelayConfig.getRelayServers()));
                   RelayLogger.debug('[{}] [Relay -> Server]: PKT 0x01: Send ICE server list to server', waiting.ADDRESS);
                 } else if (ipkt.CONNECTION_TYPE === 2) {
+                  if (!this.rateLimit(this.PING_RATE_LIMITER, ws, waiting.ADDRESS)) return;
                   const codeLen: number = (RelayConfig.get('join_codes.length') as number);
                   let code: string = ipkt.CONNECTION_CODE;
                   RelayLogger.debug('[{}]: Connected as a client, requested server code: {}', waiting.ADDRESS, code);
@@ -129,10 +149,12 @@ export class EaglerSPRelay {
                     RelayLogger.debug('[{}] [Relay -> Client]: PKT 0x01: Send ICE server list to client', waiting.ADDRESS);
                   }
                 } else if (ipkt.CONNECTION_TYPE === 3) {
+                  if (!this.rateLimit(this.PING_RATE_LIMITER, ws, waiting.ADDRESS)) return;
                   RelayLogger.debug('[{}]: Pinging the server', waiting.ADDRESS);
                   ws.send(RelayPacket.writePacket(new RelayPacket69Pong(1, RelayConfig.get('server.comment') as string, RelayVersion.BRAND)));
                   ws.close();
                 } else if (ipkt.CONNECTION_TYPE === 4) {
+                  if (!this.rateLimit(this.PING_RATE_LIMITER, ws, waiting.ADDRESS)) return;
                   RelayLogger.debug('[{}]: Polling the server for other worlds', waiting.ADDRESS);
                   if (RelayConfig.get('server.show_local_worlds')) ws.send(RelayPacket.writePacket(new RelayPacket07LocalWorlds(this.getLocalWorlds(SocketAddress.getAddress(ws)))));
                   else ws.send(RelayPacket.writePacket(new RelayPacket07LocalWorlds([])));
@@ -220,6 +242,19 @@ export class EaglerSPRelay {
     if (srvs != undefined && srvs.length > 0) for (const s of srvs) if (!s.SERVER_HIDDEN) arr.push(new LocalWorld(s.SERVER_NAME, s.CODE));
     return arr;
   }
+
+  private rateLimit (l: RateLimiter | undefined, ws: WebSocket, addr: string): boolean {
+    if (l === undefined) return true;
+    const r = l.limit(addr);
+    if (r === RateLimit.NONE) return true;
+    if (r === RateLimit.LIMIT) {
+      ws.send(RelayPacketFEDisconnectClient.RATELIMIT_PACKET_BLOCK);
+    } else if (r === RateLimit.LIMIT_NOW_LOCKOUT) {
+      ws.send(RelayPacketFEDisconnectClient.RATELIMIT_PACKET_BLOCK_LOCK);
+    }
+    ws.close();
+    return false;
+  }
 }
 
 class PendingConnection {

src/server/EaglerSPRelay.ts

@@ -13,12 +13,12 @@ import { RelayPacketFFErrorCode } from '../pkt/RelayPacketFFErrorCode';
 import { SocketAddress } from '../utils/SocketAddress';
 
 export class EaglerSPServer {
-  public SOCKET: WebSocket;
-  public CODE: string;
-  public CLIENTS: Map<string, EaglerSPClient>;
-  public SERVER_NAME: string;
-  public SERVER_ADDRESS: string;
-  public SERVER_HIDDEN: boolean;
+  public readonly SOCKET: WebSocket;
+  public readonly CODE: string;
+  public readonly CLIENTS: Map<string, EaglerSPClient>;
+  public readonly SERVER_NAME: string;
+  public readonly SERVER_ADDRESS: string;
+  public readonly SERVER_HIDDEN: boolean;
 
   public constructor (socket: WebSocket, code: string, serverName: string, serverAddress: string) {
     this.SOCKET = socket;

src/server/EaglerSPServer.ts

@@ -0,0 +1,83 @@
+export class RateLimiter {
+  public readonly PERIOD: number;
+  public readonly LIMIT: number;
+  public readonly LOCKOUT_LIMIT: number;
+  public readonly LOCKOUT_DURATION: number;
+
+  private readonly LIMITERS = new Map<string, RateLimitEntry>();
+
+  public constructor (period: number, limit: number, lockoutLimit: number, lockoutDuration: number) {
+    this.PERIOD = period;
+    this.LIMIT = limit;
+    this.LOCKOUT_LIMIT = lockoutLimit;
+    this.LOCKOUT_DURATION = lockoutDuration;
+  }
+
+  public limit (addr: string): RateLimit {
+    let etr: RateLimitEntry | undefined = this.LIMITERS.get(addr);
+    if (etr === undefined) this.LIMITERS.set(addr, etr = new RateLimitEntry());
+    else etr.update(this);
+    if (etr.LOCKED) {
+      return RateLimit.LOCKOUT;
+    } else {
+      if (++etr.COUNT >= this.LOCKOUT_LIMIT) {
+        etr.COUNT = 0;
+        etr.LOCKED = true;
+        etr.LOCKED_TIMER = Date.now();
+        return RateLimit.LIMIT_NOW_LOCKOUT;
+      } else {
+        return etr.COUNT > this.LIMIT ? RateLimit.LIMIT : RateLimit.NONE;
+      }
+    }
+  }
+
+  public update (): void {
+    for (const [address, etr] of this.LIMITERS) {
+      etr.update(this);
+      if (!etr.LOCKED && etr.COUNT === 0) this.LIMITERS.delete(address);
+    }
+  }
+
+  public reset (): void {
+    this.LIMITERS.clear();
+  }
+}
+
+export enum RateLimit {
+  NONE,
+  LIMIT,
+  LIMIT_NOW_LOCKOUT,
+  LOCKOUT
+}
+
+class RateLimitEntry {
+  public TIMER: number = Date.now();
+  public COUNT: number = 0;
+  public LOCKED_TIMER: number = 0;
+  public LOCKED: boolean = false;
+
+  public update (limiter: RateLimiter): void {
+    const millis: number = Date.now();
+    if (this.LOCKED) {
+      if (millis - this.LOCKED_TIMER > limiter.LOCKOUT_DURATION) {
+        this.LOCKED = false;
+        this.LOCKED_TIMER = 0;
+        this.COUNT = 0;
+        this.TIMER = millis;
+      }
+    } else {
+      const p: number = limiter.PERIOD / limiter.LIMIT;
+      if (this.COUNT > 0 && p > 0) {
+        const elapsed: number = millis - this.TIMER;
+        const tokens: number = Math.floor(elapsed / p);
+        if (tokens > 0) {
+          this.COUNT = Math.max(0, this.COUNT - tokens);
+          this.TIMER += tokens * p;
+          if (this.TIMER > millis) this.TIMER = millis;
+        }
+      } else {
+        this.TIMER = millis;
+      }
+    }
+  }
+}

src/server/RateLimiter.ts

@@ -44,7 +44,24 @@ const CONFIG_DEFAULT = {
       type: 'stun',
       address: 'stun4.l.google.com:19302'
     }
-  ]
+  ],
+  limits: {
+    worlds_per_ip: 32,
+    world_ratelimit: {
+      enabled: true,
+      period: 192,
+      limit: 32,
+      lockout_limit: 48,
+      lockout_time: 600
+    },
+    ping_ratelimit: {
+      enabled: true,
+      period: 256,
+      limit: 128,
+      lockout_limit: 192,
+      lockout_time: 300
+    }
+  }
 };
 
 type Json = string | number | boolean | null | Json[] | { [k: string]: Json; };

src/utils/RelayConfig.ts

@@ -2,8 +2,6 @@ import chalk from 'chalk';
 import { RelayConfig } from './RelayConfig';
 
 export class RelayLogger {
-  private constructor () {}
-
   private static format (msg: any, ...args: any[]): string {
     let ret = msg;
     for (const arg of args) ret = ret.replace('{}', typeof arg === 'object' ? JSON.stringify(arg) : String(arg));

src/utils/RelayLogger.ts

@@ -1,7 +1,7 @@
 export class RelayVersion {
   public static readonly NAME = 'EaglerRelayJS';
-  public static readonly VERSION = '0.1.0';
+  public static readonly VERSION = '0.1.1';
   public static readonly BRAND = 'colbster';
   public static readonly PROTOCOL = 1;
   public static readonly DEFAULT_COMMENT = `${RelayVersion.NAME} v${RelayVersion.VERSION}`;
-}
+}