1

I'm working on the Java backend for a Flash webgame - the client and server communicate using Action Message Format (AMF). A few weeks ago, another team in our company had their product hacked by a user who decompiled the Flash client, and used an altered version to flood the backend with bogus requests. We want to prevent this kind of attack in our new game.

(More details: webserver used is Tomcat, AMF client is BlazeDS.)

I'd like to know what the best way to prevent this kind of attack would be. Some ideas I had:

  • the nginx configuration seemed like the best place to handle rate limiting, but I cant find any resources on how nginx interacts with AMF. Do the AMF requests just get sent straight to Tomcat?

  • most requests involve a userId param for the relevant user. Rate-limiting requests involving overused userIds might be one approach - however, an attacker who just wants to flood the server could easily spam random userIds.

  • doing the same as above but using IP addresses in place of userIds could work. However, I can't tell if it's possible to get the IP address from an AMF request.

Isaac Lewis
  • 11
  • 1
  • Firstly, it is not called hacked when someone reverse engineers a client, and are you even sure a client was reverse engineered? It could just as easily have been a person who just made a flash file that spams AMF's at your servers ip. But to be somewhat helpful, you need to set up a session for each client and make sure you keep track of sessions and disconnect anyone sending flood data. http://en.wikipedia.org/wiki/Universally_Unique_Identifier That should help you get an overview of how to separate clients if you haven't already. –  Aug 15 '11 at 06:28
  • Then you of course need to keep track of the incoming data, and if the client is flooding or making bad requests, you disconnect or block them. –  Aug 15 '11 at 06:34

1 Answers1

0

Your Java application should pass unique identifier to the firewall of host operating system and block that client. With this action you would be able to prevent your application from working on things that it isn't supposed to do (being a firewall).

Rytis Alekna
  • 1,387
  • 7
  • 17