Reduce response file buffer size #40

New Issue

2022-03-15T18:10:19Z

v0l commented

2022-03-15 18:10:19 +00:00

(Migrated from github.com)

One potential attack vector could be resource exhasution from the large response buffer size.
285899b742/VoidCat/Services/Files/StreamFileStore.cs (L11)

Every download request creates a buffer of 1MiB, an attacker could start thousands of downloads and not read any data from the server to use up more memory resources than we have.

The reason for using 1MiB buffers is to stop excessive calls to TrackEgress.

Potential solution:

Report every Nth buffer to replicate the call rate used by the existing buffer size.
Rate limit downloads:
- Limit concurrent downloads by IP
- Limit response time between buffers (Server could run out of bandwidth and trigger this)
Periodically report bandwidth stats from IStatsCollector so TrackEgress can be called synchronously

One potential attack vector could be resource exhasution from the large response buffer size. https://github.com/v0l/void.cat/blob/285899b742286f7738fe9c9e709454e7bffc7bd0/VoidCat/Services/Files/StreamFileStore.cs#L11 Every download request creates a buffer of 1MiB, an attacker could start thousands of downloads and not read any data from the server to use up more memory resources than we have. The reason for using 1MiB buffers is to stop excessive calls to `TrackEgress`. Potential solution: - Report every `Nth` buffer to replicate the call rate used by the existing buffer size. - Rate limit downloads: - Limit concurrent downloads by IP - Limit response time between buffers (Server could run out of bandwidth and trigger this) - Periodically report bandwidth stats from `IStatsCollector` so `TrackEgress` can be called synchronously

Sign in to join this conversation.