Synchronet v3.21e-Win32 (install) has been released (Mar-2026).

You can donate to the Synchronet project using PayPal.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
howto:block-hackers [2026/05/17 20:18] – [Concurrent Connection Auto-Filtering] document new MaxConConnFilterSilent option (issue #1140) Claude.Aihowto:block-hackers [2026/05/22 00:32] (current) – Add Web Server rate-limiting and auto-filter section (connection/request limiters, subnet aggregation) Claude.Ai
Line 107: Line 107:
  
 As with the failed-login auto-filter, IPs listed in ''[[dir:ctrl]]/ipfilter_exempt.cfg'' are exempt from this mechanism. As with the failed-login auto-filter, IPs listed in ''[[dir:ctrl]]/ipfilter_exempt.cfg'' are exempt from this mechanism.
 +
 +=== Web Server Rate Limiting ===
 +
 +//(Synchronet v3.22 and later, Web Server.)//
 +
 +The same kind of resource-exhaustion problem affects the [[server:web|Web Server]]: automated scrapers and bots can open a flood of connections and requests, occupying every available client slot (''MaxClients'') and tying up threads and TLS handshakes so that legitimate visitors are turned away.  Increasingly these come from large cloud/hosting ranges and are spread thinly across hundreds of addresses, so a per-IP limit alone never trips.
 +
 +To mitigate this, the Web Server supports two rate limiters plus an auto-filter:
 +  * **Connection rate limiter** — caps the number of connections allowed from a client over a time period, enforced at //accept// (before a session thread or TLS handshake is created), so a flood is shed at the cheapest possible point.  Configured via ''MaxConnectsPerPeriod'' / ''ConnectRateLimitPeriod''.
 +  * **Request rate limiter** — caps the number of HTTP[S] requests from a client over a time period (enforced after each request is parsed).  Configured via ''MaxRequestsPerPeriod'' / ''RequestRateLimitPeriod''.
 +  * **Subnet aggregation** — optionally counts (and filters) all clients within an IPv4/IPv6 subnet //together//, in CIDR notation, defeating abuse distributed thinly across a provider's range.  Configured via ''RateLimitSubnetPrefix4'' (e.g. ''24'') and ''RateLimitSubnetPrefix6'' (e.g. ''64''); ''0'' counts each host IP separately.
 +  * **Auto-filter** — a client (or subnet) that exceeds a rate limit ''RateLimitFilterThreshold'' times is persistently blocked by adding its IP or CIDR to ''[[dir:text]]/[[config:ip.can]]'' (or, when ''RateLimitFilterSilent'' is enabled, the //silent// ''[[dir:text]]/[[config:ip-silent.can]]'', which is checked at //accept//), with an expiration of ''RateLimitFilterDuration'' seconds.
 +
 +Configure either via **SCFG -> Servers -> Web Server -> Rate Limiting...** or by editing the ''**[Web]**'' section of ''[[dir:ctrl]]/[[config:sbbs.ini]]'' directly; see [[server:web]] for the full list of keys.  All limiters and the auto-filter are disabled by default, and IPs listed in ''[[dir:ctrl]]/ipfilter_exempt.cfg'' are exempt.
  
 ===== See Also ===== ===== See Also =====

Trace: