I want to limit file upload frequency to our webservice to prevent denial-of-service (directed at the server) - specifically, temporary folders filling up with fake uploads.
This could be the user misbehaving, or, if this goes over http:, someone pretending to be the user.
There are already some measures, like limiting file size, checking user agent, but I want to add some sort of rate limiting.
- A user can upload 3 files 'at once'.
- Let's assume that legitimate user action takes at least 5 seconds (between valid uploads).
- Users are identified by UserID, they have logged in already
The current idea is to maintain a list/array with the three most recent upload (attempt) times per UserID, and discard the upload if the difference between upload time (end time of transaction) and oldest of the three times is less then 5 seconds.
Example: a user uploads files at 1,3,7,15,20,21,22,23,24,36 seconds:
Time Array
[0,0,0] Initial situation
1 [0,0,0] Comparing with first entry 0 - allowed
3 [0,0,1] Idem
7 [0,1,3] Idem
14 [1,3,7] 14-1 > 5 Allowed
20 [3,7,15] 20-3 > 5 Allowed
21 [7,15,20] 21-7 > 5 Allowed
22 [15,20,21] 22-15 > 5 Allowed
23 [20,21,22] 23-20 < 5 Upload discarded
24 [21,22,23] 24-21 < 5 Upload discarded
36 [22,23,24] 36-24 > 5 Allowed
For me the question is if this is a decent enough algorithm to rate limit the uploads. But specifically:
When/where will it fail? Where do you see loopholes?
Notes:
- I already maintain a thread-safe token for each user, so this would just mean adding 3 DWORDs to it (for tick counts)
- By spoofing a user an attacker would deny uploads for that user, but that's not what I want to protect against
- We have no provisions in place to handle replay attacks; that's a different discussion that I do not want to mix with this one
- FWIW I'm programming in Delphi XE2
