2

I have a Asp.Net Core Web Project and implemented ASPNetCoreRateLimit package for DOS and DDOS attacks in middleware as shown below. In "appsetting.json" file IpRateLimiting settings are configured under the middleware method as written below. In IpRateLimiting settings, if request count exceeds 1000 in 30 minutes, quota exceeded response is displayed and tested, everything is ok. I want to configure block time, I mean if request count exceeds limit mentioned in "GeneralRules" section in appsettings.json, I want to block this IP more than 30 minutes as mentioned again "GeneralRules" section. By default, library blocks IP, if request count exceeds the value mentioned in settings and after this period blocking is disabled. How can I configure or override blockin periond programmatically?

   public class RateLimitMiddleware : IpRateLimitMiddleware
    {
        private readonly ILogger<IpRateLimitMiddleware> _logger;

        public RateLimitMiddleware( 
               RequestDelegate next, IOptions<IpRateLimitOptions> options, IRateLimitCounterStore counterStore, IIpPolicyStore policyStore, IRateLimitConfiguration config, ILogger<IpRateLimitMiddleware> logger
           ) : base(next, options, counterStore, policyStore, config, logger)
        {
            policyStore.SeedAsync();
            _logger = logger;
        }
        //TODO : mail request details
        public override Task ReturnQuotaExceededResponse(HttpContext httpContext, RateLimitRule rule, string retryAfter)
        {
            var message = "Maximum request limit exceeded!";
            _logger.LogWarning(message + ". Details : " + httpContext);
            
            httpContext.Response.Headers["Retry-After"] = retryAfter;
            httpContext.Response.StatusCode = 429;
            httpContext.Response.ContentType = "application/json"; 

            return SpecificPageMiddleware.ReturnIndexPage(httpContext); 
        }

    }

"IpRateLimiting": {
    "EnableEndpointRateLimiting": true,
    "StackBlockedRequests": true,
    "RealIpHeader": "X-Real-IP",
    "ClientIdHeader": "X-ClientId",
    "HttpStatusCode": 429,
    "IpWhitelist": [ "" ],
    "EndpointWhitelist": [ "" ],
    "QuotaExceededResponse": {
      "Content": "<!DOCTYPE html><html lang=\"tr\"><head><meta charset=\"utf-8\" /><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><title>HATA</title><meta name=\"description\" content=\"\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\" /><link rel=\"canonical\" href=\"https://www.airclinic.com.tr\" /> <link rel=\"shortcut icon\" href=\"favicon.ico\" /></head><body style=\"background-image: url(../assets/media/error/bg6.jpg);\"><div><div><div><h1 style=\"margin-top: 12rem;\">Hata Kodu : 429</h1><p></p><p\">Maksimum istek limiti aşılmıştır! Lütfen daha sonra tekrar deneyiniz</p></div></div></div></body></html>",
      "ContentType": "text/html",
      "StatusCode": 429
    },
    "GeneralRules": [
      {
        "Endpoint": "*",
        "Period": "30m",
        "Limit": 1000
      }
    ]
  }
mkartal
  • 71
  • 10

1 Answers1

2

How can I configure or override blockin periond programmatically?

You can access the Ip policy store within the controller and modify the IP rules as follows:

public class RateLimitMiddleware : IpRateLimitMiddleware
    {
        private readonly ILogger<IpRateLimitMiddleware> _logger;
        private readonly IpRateLimitOptions _options;
        private readonly IIpPolicyStore _ipPolicyStore;

        public RateLimitMiddleware( 
               RequestDelegate next, IOptions<IpRateLimitOptions> options, IRateLimitCounterStore counterStore, IIpPolicyStore policyStore, IRateLimitConfiguration config, ILogger<IpRateLimitMiddleware> logger
           ) : base(next, options, counterStore, policyStore, config, logger)
        {
            policyStore.SeedAsync();
            _logger = logger;
            _options = options.Value;
            _ipPolicyStore = policyStore;
        }
        //TODO : mail request details
        public override Task ReturnQuotaExceededResponse(HttpContext httpContext, RateLimitRule rule, string retryAfter)
        {
            var message = "Maximum request limit exceeded!";
            _logger.LogWarning(message + ". Details : " + httpContext);
            
            httpContext.Response.Headers["Retry-After"] = retryAfter;
            httpContext.Response.StatusCode = 429;
            httpContext.Response.ContentType = "application/json"; 


            String ip = HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

            if (string.IsNullOrEmpty(ip))
            {
                ip = HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"];
            }

            var pol = _ipPolicyStore.Get(_options.IpPolicyPrefix);

            pol.IpRules.Add(new IpRateLimitPolicy
            {
                Ip = ip,
                Rules = new List<RateLimitRule>(new RateLimitRule[] {
                      rule
                })
            });

            _ipPolicyStore.Set(_options.IpPolicyPrefix, pol);


            return SpecificPageMiddleware.ReturnIndexPage(httpContext); 
        }

    }
Michael Wang
  • 3,782
  • 1
  • 5
  • 15
  • 1
    Hi Michael, thanks for your answer. Your logic if perfect and because of framework core, I updated same code like to get the remote Ip address "var ip = httpContext.Request.HttpContext.Connection.RemoteIpAddress.ToString();". Anyway it's tested and works. I can add new rules for specific remote Ip address at runtime – mkartal Jan 20 '21 at 13:20