Get started
We are having lots of fun on Discord. Come and join us!
Star on GitHub 45.1K Get started
Back

How to prevent denial-of-service attacks that causes Appwrite to hang completely?

  • 0
  • Functions
View on Discord
memoonlite
29 Jan, 2024, 08:26

Hello everyone! πŸ‘‹πŸ» I'm testing the security and stability of my Appwrite setup. Running the following code on the client side, which is connecting to a self hosted instance of Appwrite, causes problems:

while(true) { appWriteClientController.function!.createExecution( functionId: 'somecrazyfunction', xasync: false); }

It floods the server with function executions. Executing the above code causes my server to hang completely. The Appwrite web interface isn't even loading anymore. πŸ’€ So the code above is basically a denial-of-service attack. ☹️

The problem is that everyone can run this code and bring down my server if they extract the right information from my app (endpoint, project ID). I don't even want to think about what happens when someone runs this code concurrently, I'm afraid it might crash the whole OS.

I haven't tested this on Appwrite Cloud because I definitely don't want to perform a denial-of-service attack on a server that is not my own. 😬 But wat would actually happen if someone runs this code in combination with Appwrite Cloud? Is Appwrite Cloud resistant to this attack?

Does anyone know how to prevent denial-of-service attacks like the one shown above? 😊

TL;DR
Developers are experiencing denial-of-service attacks on their self-hosted Appwrite setup, causing the server to hang completely. The issue can be mitigated by implementing custom rate limits using a reverse proxy like Cloudflare. The free plan of Cloudflare should be sufficient for this purpose. Developers can also reach out to Appwrite support in the pro plan for additional solutions. There is a feature request on GitHub that addresses this issue. Testing the attack on Appwrite Cloud is not recommended.
D5
29 Jan, 2024, 08:33

I think yes, Appwrite cloud should be ressistant, the only issue is that it will be able to process all functions and they will be billed unfortunately, but if you contact appwrite support in pro plan, probably they will give you some solution. I recommend putting a reverse proxy in front to set custom rate limits, like cloudflare if you need. In fact CF will protect you from DDoS too, not only DoS.

I recommend upvoting this feature requet since it should solve this issue: https://github.com/appwrite/appwrite/issues/2953

memoonlite
29 Jan, 2024, 08:55

Thanks. πŸ‘πŸ» So basically using a service like Cloudflare is absolutely mandatory at the moment if someone uses Appwrite functions, as it'd be very easily for a malicious person to bring down a server or to cause a high bill. πŸ€”

Time to do some research. 😊 I wonder if I should use Cloudflare Tunnel. Or their regular service. And I wonder if the free version is sufficient. πŸ€”

D5
29 Jan, 2024, 08:58

I think the regular service should be enough. If you only need to protect functions endpoint, free plan should be enough since it allows you to se 1 custom rate limit for free

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more