0

I have my express server deployed and someone is continuously sending some requests and flooding the server. This flooding makes the server super slow.

2021-12-22T08:32:00.591180+00:00 app[web.1]: GET /socket.io/?EIO=4&transport=polling&t=NtXHCIU 404 0.353 ms - 149

2021-12-22T08:32:01.450407+00:00 heroku[router]: at=info method=GET path="/socket.io/?EIO=4&transport=polling&t=NtXHCbp" host=api-app-name.herokuapp.com request_id=0a0adb5d-f067-4898-972a-fe47cb66e255 fwd="73.223.239.30" dyno=web.1 connect=0ms service=1ms status=404 bytes=504 protocol=https

Above are some logs from the server. I have deployed the server by removing this API which is being been triggered so this is showing 404 but I am still getting requests for this API. The request is coming from some 4-6 IP's. What can be done in a situation like this, so to avoid this unnecessary flooding and stop the overloading.

Himanshu
  • 1
  • 1
  • Can you tell where it's coming from? Is it coming from one of your own web pages? This looks like attempts to make a socket.io connection to your server. Is there a referrer header on the requests? – jfriend00 Dec 22 '21 at 08:41
  • No, the request is not made by my web page. But I haven't checked the referrer header. I will check this to find who is making the attempt. – Himanshu Dec 22 '21 at 08:48
  • @jfriend00 I checked the referrer header my own website is making the requests, but I had removed the code which makes the connection with the socket when I removed the socket API from the server. I don't understand how this is happening. – Himanshu Dec 22 '21 at 09:07
  • It is probably previous copies of your own website sitting open in someone's browser and they will eventually go away when the browser is closed or refreshed. There's a possibility that this is someone malicious that is forging the referrer header and trying to harm your servers, but that seems less likely. You should also make sure that any Javascript files that might have been doing this have also been removed from your server or renamed so your Express will no longer serve them even to old copies of the web page that might be in a cache somewhere. – jfriend00 Dec 22 '21 at 09:09
  • These requests are been coming for the past 24 hours. Let's say if someone malicious is trying to forge the header and harming the server what can be done in this situation? – Himanshu Dec 22 '21 at 09:12
  • If it's from fixed IP addresses, it would be most effective if you could block the IP addresses at the network level in your hosting provider so your server never see the requests. If you ask your hosting provider for assistance with a DOS (Denial of Service) attack from four IP addresses, they should know how to help. – jfriend00 Dec 22 '21 at 09:16
  • Sure I will try that. Thanks for your help. – Himanshu Dec 22 '21 at 09:21

1 Answers1

0

You need to use express rate limit. Which can help to limit number of requests per IP address for particular time window. https://www.npmjs.com/package/express-rate-limit

Dipten
  • 1,031
  • 8
  • 16
  • The OP is already just returning a 404 from these requests so a rate limit at a higher level than that won't help. They really need to find the source (which is probably their own socket.io code in their own web pages) or they need to block these types of requests at the network level, not in the server. That's how you protect the server's performance. – jfriend00 Dec 22 '21 at 08:44
  • network level blocking is the best way. but in case network level blocking not possible then express rate limit comes handy. – Dipten Apr 28 '22 at 04:41