如何测试输入是否不是 /dev/random?
我正在使用一个简单的聊天服务器,并试图保护它的安全。我让 Node.js 监听一个端口,接受来自所有客户端的所有输入并将其返回给所有客户端。我可以通过执行“
cat /dev/random | chat
Where chat is the client app”来淹没服务器。它淹没了服务器和每个客户端。我知道我可以测试输入是否超过某个给定的数量,例如 500 个字符,但它正在淹没服务器(检查需要在服务器上进行,而不是在客户端上进行,因为我也可以远程登录)。
我想我需要检查以确保输入中没有控制字符,但仍然允许所有随机 UNICODE。我该怎么做?哪些角色可能是坏的?
编辑:我添加了一些速率限制,这样它们就不能淹没服务器。我添加逻辑来测试平均发布时间是否低于某个阈值,如果是则关闭其连接。但我对如何做到这一点没有疑问:)
I have a simple chat server that I am playing with and I am trying to secure it. I have Node.js listening on a port accepting all input from all clients and that back to all clients. I am able to flood the server by doing
cat /dev/random | chat
Where chat is the client app. It floods the server and every client. I know I can just test to see if input is longer than some given amount, like 500 characters, but it is flooding the server (the check needs to be on the server, not the client cause I could just telnet as well).
I think I need to check to make sure there are no control characters in the input, but still allow all the random UNICODE. How would I do this? What are all the characters that could be bad?
EDIT: I am adding some rate limiting so they can't just flood the server. I am adding logic to test if the average post time is below a certain threshold and closing their connect if it is. But I didn't have a question on how to do that :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
/dev/random或控制字符不是问题——有人仍然可以使用随机的纯文本流向您的服务器发送垃圾邮件。更好的方法是对您的客户端进行速率限制,以便您在一段时间内仅接受一定数量的数据。例如,如果客户端在一秒内发送超过 500 个字节,您可以将该客户端静音 5 秒。/dev/randomor control characters aren't the problem -- someone could still spam your server with a random text-only stream. A better way is to rate-limit your clients, so that you accept only a certain amount of data within a time interval. For example, if a client sends more than 500 bytes within a second, you could mute that client for 5 seconds.我认为您最好编写一个脚本来执行此操作。
您可以选择让脚本在幕后使用
/dev/random,但这是一个更具可扩展性的选项一个脚本。I think you're probably better off writing a script to do this.
You may choose to get your script to use
/dev/randomunder the covers, but it's a more extensible option to write a script.