Service is down

Question

Service is down

aiden2480 opened this issue 4 years ago · comments

Endpoints are returning ok: false
https://dood.wheres-my-ta.co/EIbnzy.png

Damien Vesper · Answer 1 · Tue Dec 17 2019 05:26:59 GMT+0800 (China Standard Time)

Same here, all endpoints and relative trees are returning ok: false, however, no errors (via the jsonstore.io wrapper package) are being thrown.

Eliran Pe'er · Answer 2 · Tue Dec 17 2019 05:31:50 GMT+0800 (China Standard Time)

Hi guys, we're having an outage, service should be back in the next 24 hours.

PDanielY · Answer 3 · Tue Dec 17 2019 05:33:52 GMT+0800 (China Standard Time)

What happened? What was the cause of the outage? @bluzi

Eliran Pe'er · Answer 4 · Wed Dec 18 2019 05:48:41 GMT+0800 (China Standard Time)

We're back online. In the last few months, we're being attacked with lots of HTTP requests from different IP addresses and these attacks drain our budget. We're trying to fight it back and minimize the effect as much as possible.

Data from the past few days may be missing at the moment, we're working on getting it back.

Sorry for the inconvenience.

Damien Vesper · Answer 5 · Fri Dec 20 2019 06:12:34 GMT+0800 (China Standard Time)

Any ETA on when the data will be back? A few of my apps' databases appear to have been wiped completely. @bluzi

Gustavo Rodrigues · Answer 6 · Wed Dec 25 2019 02:52:16 GMT+0800 (China Standard Time)

Wouldn't be better adding some kind of authentication to avoid it happening again? It can be any from those options, ranging from simple to complex:

Token generation takes random data and, wasting CPU, hashes it.
It can be changed to return a authenticated token so attackers can't create new stores without requesting a new token.
Add a captcha or proof of work to token generation if some attack try to generate too many tokens.
Add an authentication step before token generation if the above step fails.

Of course, when using the tokens the API needs to validate those and check it against a blacklist before doing any operation, otherwise attackers can continue using those. A issue with this solution is that previously generated tokens will be invalidated.

Edit: if authentication is added then the token don't need to be authenticated, it can be random, and the blacklist will not be needed, as the server will need to store a list of all stores their owners. By doing so previous generated tokens can still be used.

I can send a pull request fixing the CPU waste issue: just get 32 random bytes and convert to hexadecimal, no time wasted generating more random data than needed nor hashing it.

-    const seed = crypto.randomBytes(64);
-    const hash = crypto.createHash('sha256').update(seed).digest('hex');
+    const token = crypto.randomBytes(32).toString('hex');
-    return res.send({ token: hash });
+    return res.send({ token });