Project

wait_a_minute

0.0
No commit activity in last 3 years
No release in over 3 years
wait_a_minutesrejbi/wait_a_minuteDocumentationSource CodeBug TrackerWiki
A very simple, application-level DOS (Denial-Of-Service) attack handler for Rails apps. By including in the app, it can track requests per IP address and refuse further processing of the request if there were too many requests recently from the given IP address.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
16,587
Stars
3
Forks
1
Watchers
2
 Releases
Current version
0.0.5
Total releases
5
First release
2011-04-19
Latest release
2011-04-19
 Development
Average date of last 50 commits
2011-04-20
Reverse Dependencies
0

 Dependencies

Development

rspec
= 2.1.0

Runtime

rails
>= 3.0.1
 Project Readme
== WaitAMinute

A simple, application level DOS (Denial-Of-Service) protection tool for 
small Rails applications.

== How does it work?

Once WaitAMinute gem is installed and configured in a Rails application, it 
will run a before_filter on *every* call to any subclasses of ActionController.

The before hook checks if the IP is a 'friendly' one (eg. NewRelic monitoring), 
meaning it is allowed no matter what. 
For 'non-friendly' IP addresses, the before filter checks if the IP is not already
banned within a minute (hence the name of the gem), if not, it checks the number 
of previous requests from the given address within a configurable floating timeframe
and allows the request to be served only if the address did not exceed the allowed
maximum requests within the timeframe. WaitAMinute then stores the request IP and 
the timestamp along with a bit indicating if the request was refused or not.

If the IP is banned, WaitAMinute renders a page with HTTP status 503 telling the 
server is too busy to handle the request and that the user should retry after a minute.

== Installation

add the gem to your Gemfile then
# bundle install

== Configuration

in your application's root directory, 

run 
# rails g wait_a_minute:install

then
# rake db:migrate

finally revise and tweak
config/initializers/wait_a_minute.rb

WaitAMinute.lookback_interval - the floating timeframe size, 
eg. 2.minutes

WaitAMinute.maximum_requests - the max number of requests from a single IP 
within the timeframe, eg. 24 - along with the above it allows a request 
every 5 seconds from a single IP address

WaitAMinute.debug - set to true for having IP filtering logged

WaitAMinute.layout - if some layout is needed around the error page, specify it 
here /for best performance it is not recommended, we want banned IP's to use 
the least resources/

WaitAMinute.allowed_ips - an array of strings with IP addresses that never should 
be banned, eg, ['127.0.0.1'] (once tried that it works ok on the development box, 
likely want the local developer to pass through always)

== Customization

create app/views/wait_a_minute/wait_a_minute.html.erb and customize to your 
liking to override the default error page for banned IP addresses.

== Maintenance

from time to time WaitAMinute.cleanup should be called from a scheduled
script to flush obsolete request logs in order to keep an optimal
ActiveRecord performance in its filtering operations.

== Further considerations

as the piece of software works with the REMOTE_ADDR of the request, it is only 
suitable in environments where it reflects the original request address.
(eg. it won't work in an environment where a load balancer replaces the
REMOTE_ADDR address in the request)