6

I'm interested in using https://github.com/kickstarter/rack-attack to throttle abusers and brute force attackers. My app runs on multiple dynos, so I imagine the Rails default FileStore is not fully effective since there's a filesystem for each dyno, and throttling needs to be the aggregate of both.

If I were to use a memcached plugin service for Rails.cache, is there a "fallback" built into Rails if the memcached service goes down (i.e., say to FileStore)?

If not, with the outage of the memcached service, will the rails app crash or become inaccessible to users (vs gracefully handling errors)?

user1322092
  • 4,020
  • 7
  • 35
  • 52
  • Note that Heroku uses an [ephermal file system](https://devcenter.heroku.com/articles/dynos#ephemeral-filesystem), so a FileStore would prove to be very unreliable. – fivedigit Dec 21 '14 at 09:14
  • Yep! I'm aware of that. For that reason `memory_store` wouldn't work well (i.e, cache data partition across N dynos). Any thoughts on my other questions? – user1322092 Dec 21 '14 at 15:06
  • I don't believe there's a fallback, your app would most likely just raise errors. I'm 100% sure though, I haven't ever tested it. – fivedigit Dec 21 '14 at 15:10

1 Answers1

15

I'm the author of rack-attack.

tl;dr: when your caching backend (memcached or redis) is down, then all requests are allowed (i.e. fail-open).

It really depends on what the Rails cache does. Both the Dalli memcached client (ActiveSupport::Cache::DalliStore), and the Redis client (ActiveSupport::Cache::RedisStore) rescue connection errors and timeouts to return nil.

When rack-attack queries the cache store for a throttle value, the cache store returns nil. Rack attack casts thatto_i to get 0. And since your throttle limit is > 0, the request is allowed.

Rack attack has integration tests run on each commit testing that no errors are raised and requests are allowed when memcached/redis are unavailable.

ktheory
  • 1,101
  • 7
  • 6
  • Thanks for responding ktheory - love your gem, and keep up the great work! – user1322092 Feb 02 '15 at 22:52
  • 1
    Hey @ktheory Rack attack casts that to_i to get 0. And since your throttle limit is > 0, the request is allowed. 0 is not greater than 0, may be you wanted to say something else. Thanks for the gem. – abhishek77in Nov 04 '20 at 07:14