Massive login attack

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

User avatar
rgfernan
Posts: 11
Joined: 20 Mar 2010, 00:25
Location: Buenos Aires, Argentina
Contact:

Massive login attack

Postby rgfernan » 23 Apr 2012, 00:52

Last week, we had an attack on our sfs server, having over 37k users logged in using the same session.
I run a simple testing code (which I paste at the bottom), and I noticed it was failing.
I think this shouldn't be happening, as it doesn't make any sense to me to have multiple logs within the same session; even the SFSApi class returns only one user in the method getUserBySession, so I think this could be an issue.
I solved this using a custom login that doesn't allow multiple logins for a session, but I would anyways like to know if there is a way to do this using a config file or something like that, or, in case this is a n issue, if it could be solved in future releases.

Testing code:

Code: Select all

    @Test
    public void singleConnectionShouldNotAllowMultipleUsers() throws InterruptedException {
        totalLogs = 0;
        totalFails = 0;
        smartFox = new SmartFox(true);
        smartFox.connect("localhost", 9933);
        smartFox.addEventListener(SFSEvent.CONNECTION, new IEventListener() {
            public void dispatch(BaseEvent evt) throws SFSException {
                Map params = evt.getArguments();
                if ((Boolean) params.get("success")) {
                    System.out.println("Connection established");
                    ISFSObject sendingParams = new SFSObject();
                    sendingParams.putInt("g", 7);
                    smartFox.send(new LoginRequest("", "", "My Lobby", sendingParams));
                    smartFox.send(new LoginRequest("", "", "My Lobby", sendingParams));
                } else {
                    fail("Connection failed, ensure server is running on localhost, 9933");
                }
            }
        });

        smartFox.addEventListener(SFSEvent.LOGIN, new IEventListener() {
            public void dispatch(BaseEvent evt) throws SFSException {
                User user = (User) evt.getArguments().get("user");
                System.out.println("Login successful " + user.getName());
                totalLogs++;
            }
        });

        smartFox.addEventListener(SFSEvent.LOGIN_ERROR, new IEventListener() {
            public void dispatch(BaseEvent evt) throws SFSException {
                System.out.println("Login failure: " + evt.getArguments().get("errorMessage"));
                totalFails++;
            }
        });

        Thread.sleep(2000);
        assertEquals(1, totalLogs);
    }
Roberto G. Fernández
Technical Leader

WILLDOM, WE DO IT_
AR: +54 (11) 4821 1582
US: +1 (954) 905 7439
Skype: roberto.g.fernandez
3slices
Posts: 115
Joined: 17 Aug 2011, 04:42

Re: Massive login attack

Postby 3slices » 23 Apr 2012, 05:57

I have reported something similiar. At least I believe this is a similiar case of multiple logins:
viewtopic.php?f=18&t=13866
Maybe somebody was also reading it here searching for sfs weaknesses within smartfoxserver and simply trying it out.

I have not received another response from Lapo so far if they can reproduce the behaviour in the meantime.
@Lapo: I hope you can reproduce it. If there is anything else I can do to nail down this issue, I would be glad to help.
In any case it would be great to receive a fix or guidance how to take care of this issue.
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Massive login attack

Postby Lapo » 25 Apr 2012, 13:27

Thanks for your submission. We are working on a new release that is going to be out in a few days. We'll test your code and if it's reproducible we'll do our best to provide a fix in the new release.
Stay tuned.
Lapo
--
gotoAndPlay()
...addicted to flash games

Return to “SFS2X Questions”

Who is online

Users browsing this forum: Thomasea and 67 guests