Atozed Forums

Full Version: Prevent DOS attack
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I have an interesting issue.

We have built a number of Intraweb apps that are call from a customers Main Web Site on a different domain.
The customer had a Audit done and reported that the Intraweb apps were vunerable to a dos attack.
I have tried the Authbeforecreatesession with authevents component, but is uses the browser Login dialog which is not an acceptable solution.

Is there a way to present a Captcha form before session creation that when validated then creates a new session and shows the IW app main form.
You can just create a static page to lead in with CAPTCHA, but DOS attacks are best managed at the network/firewall level. You an also limit how many sessions can be created over a given time either from within IntraWeb or a lead in page and that will prevent some.
yes you can. Next IW update will probably (if everything works according to the plan) contain a CAPTCHA component. The code is already running just need to finish the component details.
(09-22-2020, 12:40 PM)Alexandre Machado Wrote: [ -> ]yes you can. Next IW update will probably (if everything works according to the plan) contain a CAPTCHA component. The code is already running just need to finish the component details.

This is great news. Will this component work before session creation? There is a lot of work done in our apps when a session is created that uses a fair amount of memory.
All components need a session to be rendered. In this specific scenario, a content handler could possibly be used. That's the idea and we are working on it.

Recent versions of IW 15 contain a new security feature which restricts the number of sessions that can be started by IP address.

ServerController.SecurityOptions.MaxActiveSessionsPerIp, default is 0

If greater than zero, it will limit the number of active sessions starting from the same IP address. You can set this to enforce any other measure that you have in place.

When the limit is reached, any new request requiring a new session from the same IP address will return 429 Too Many Requests

This will continue until the some or all of the existing sessions expire.
(09-22-2020, 09:25 PM)Alexandre Machado Wrote: [ -> ]All components need a session to be rendered. In this specific scenario, a content handler could possibly be used. That's the idea and we are working on it.

Recent versions of IW 15 contain a new security feature which restricts the number of sessions that can be started by IP address.

ServerController.SecurityOptions.MaxActiveSessionsPerIp, default is 0

If greater than zero, it will limit the number of active sessions starting from the same IP address. You can set this to enforce any other measure that you have in place.

When the limit is reached, any new request requiring a new session from the same IP address will return 429 Too Many Requests

This will continue until the some or all of the existing sessions expire.

The restriction on IP address does not work as our web apps sit behind a router/firewall and the remote address is always the same.
Do you or can you use x-fowarded to get actual source remote ip address.?
Yes, why not... it would require a little modification but it is doable, sure. in other parts IW already deals with X-Forwarded-For header...
(09-23-2020, 02:40 AM)Alexandre Machado Wrote: [ -> ]Yes, why not... it would require a little modification but it is doable, sure. in other parts IW already deals with X-Forwarded-For header...

I have a lot of TerminateAndRedirect calls in our main app that I want to add a TimeStamp param to. 
Can you add a OnTerminateAndRedirect Event that allows me to modify the URL so that I only have to add it in one place?

Also can you add aResponse: THttpResponse to the BeforeNewsession event so that I can return Custom HTML when not accepted.

AWhile back I asked if there was a way to get the file count and files transfered count in the AsyncUploadSuccess of IWFileUploader. The appears to be no way to tell how many files were dragged and dropped. and when the last file was saved.

I know I am being greedy, But you do not get if you do not ask.

Thank you

Bill B
(09-23-2020, 06:53 PM)PDSBILL Wrote: [ -> ]
(09-23-2020, 02:40 AM)Alexandre Machado Wrote: [ -> ]Yes, why not... it would require a little modification but it is doable, sure. in other parts IW already deals with X-Forwarded-For header...

I have a lot of TerminateAndRedirect calls in our main app that I want to add a TimeStamp param to. 
Can you add a OnTerminateAndRedirect Event that allows me to modify the URL so that I only have to add it in one place?

Also can you add aResponse: THttpResponse to the BeforeNewsession event so that I can return Custom HTML when not accepted.

AWhile back I asked if there was a way to get the file count and files transfered count in the AsyncUploadSuccess of IWFileUploader. The appears to be no way to tell how many files were dragged and dropped. and when the last file was saved.

I know I am being greedy, But you do not get if you do not ask.

Thank you

Bill B

Hi Bill,

> I know I am being greedy, But you do not get if you do not ask.

LOL, yes, you are correct. There is no way for me to know what is needed unless you guys ask for it.

Regarding your requests, I'll consider them and get back to you with more details.
The only problem is breaking existing event signatures, like BeforeNewSession. This causes lots of issues for existing code and no easy upgrading path.

Can you give me more details regarding your IWFileUploader scenario? Apparently you need to know how many files the user dropped on it and when was the last updated file?

Cheers
(09-23-2020, 09:52 PM)Alexandre Machado Wrote: [ -> ]
(09-23-2020, 06:53 PM)PDSBILL Wrote: [ -> ]
(09-23-2020, 02:40 AM)Alexandre Machado Wrote: [ -> ]Yes, why not... it would require a little modification but it is doable, sure. in other parts IW already deals with X-Forwarded-For header...

I have a lot of TerminateAndRedirect calls in our main app that I want to add a TimeStamp param to. 
Can you add a OnTerminateAndRedirect Event that allows me to modify the URL so that I only have to add it in one place?

Also can you add aResponse: THttpResponse to the BeforeNewsession event so that I can return Custom HTML when not accepted.

AWhile back I asked if there was a way to get the file count and files transfered count in the AsyncUploadSuccess of IWFileUploader. The appears to be no way to tell how many files were dragged and dropped. and when the last file was saved.

I know I am being greedy, But you do not get if you do not ask.

Thank you

Bill B

Hi Bill,

> I know I am being greedy, But you do not get if you do not ask.

LOL, yes, you are correct. There is no way for me to know what is needed unless you guys ask for it.

Regarding your requests, I'll consider them and get back to you with more details.
The only problem is breaking existing event signatures, like BeforeNewSession. This causes lots of issues for existing code and no easy upgrading path.

Can you give me more details regarding your IWFileUploader scenario? Apparently you need to know how many files the user dropped on it and when was the last updated file?

Cheers

The issue with IWFileUploader is I have a pop up modal window that has the IWFileUploader component. Users can drag multple files on to the component. In the AsyncUploadSuccess event, I have no way to tell home many files were dropped and there is no event that fires off when all files have be received. I want to close the modal window after the last file is received and completed the AsyncUploadSuccess event.

Regarding the BeforeNewSession event, could you not make a overload version that has the  aResponse: THttpResponse as a var param?

Bill B