Skip to content

Commit

Permalink
- Updated the PSK example to implement a Rate Limiting Brute
Browse files Browse the repository at this point in the history 
Force Attack to Limit the number of requests a single IP address
can make in a certain amount of time. If an IP address exceeds this
limit it temporarily ban it.
  • Loading branch information
@tonisole
tonisole committed Nov 22, 2023
1 parent 7f0f55b commit 7514727
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions examples/dial/psk/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"context"
"fmt"
"net"
"sync"
"time"

"github.com/pion/dtls/v2"
Expand All @@ -22,10 +23,39 @@ func main() {
// Everything below is the pion-DTLS API! Thanks for using it ❤️.
//

// *************** Variables only used to implement a basic Brute Force Attack protection ***************
var attempts = make(map[string]int) // Map of attempts for each IP address

Check failure on line 27 in examples/dial/psk/main.go

View workflow job for this annotation

GitHub Actions / lint / Go 

File is not `gofumpt`-ed (gofumpt)
var attemptsMutex sync.Mutex // Mutex for the map of attempts
var attemptsCleaner = time.Now() // Time to be able to clean the map of attempts every X minutes

// Prepare the configuration of the DTLS connection
config := &dtls.Config{
PSK: func(hint []byte, addr net.Addr) ([]byte, error) {
fmt.Printf("Server's hint: %s \n", hint)
// *************** Brute Force Attack protection ***************
// Check if the IP address is in the map, and the IP address has exceeded the limit
attemptsMutex.Lock()
defer attemptsMutex.Unlock()
// Here I implement a time cleaner for the map of attempts, every 5 minutes I will decrement by 1 the number of attempts for each IP address
if time.Now().After(attemptsCleaner.Add(time.Minute * 5)) {
attemptsCleaner = time.Now()
for k, v := range attempts {
if v > 0 {
attempts[k]--
}
if attempts[k] == 0 {
delete(attempts, k)
}
}
}
// Check if the IP address is in the map, and the IP address has exceeded the limit (Brute Force Attack protection)
if attempts[addr.(*net.UDPAddr).IP.String()] > 5 {

Check failure on line 52 in examples/dial/psk/main.go

View workflow job for this annotation

GitHub Actions / lint / Go 

type assertion must be checked (forcetypeassert)
return nil, fmt.Errorf("too many attempts from this IP address")

Check failure on line 53 in examples/dial/psk/main.go

View workflow job for this annotation

GitHub Actions / lint / Go 

err113: do not define dynamic errors, use wrapped static errors instead: "fmt.Errorf(\"too many attempts from this IP address\")" (goerr113)
}
// Here I increment the number of attempts for this IP address (Brute Force Attack protection)
attempts[addr.(*net.UDPAddr).IP.String()]++

Check failure on line 56 in examples/dial/psk/main.go

View workflow job for this annotation

GitHub Actions / lint / Go 

type assertion must be checked (forcetypeassert)
// *************** END Brute Force Attack protection END ***************
// I return the PSK
return []byte{0xAB, 0xC1, 0x23}, nil
},
PSKIdentityHint: []byte("Pion DTLS Client"),
Expand Down

0 comments on commit 7514727

Please sign in to comment.