1. Forum
  2. FidoNet
  3. SYNC PROGRAMMING

  • ctrl/sbbs.ini src/sbbs3/ratelimit.hpp sbbs_ini.c src/sbbs3/scfg/scfgsr

    From Rob Swindell (on Windows 11)@1:103/705 to Git commit to main/sbbs/master on Fri May 22 00:13:46 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/64788e721a2fcdfb0c54f202
    Modified Files:
    ctrl/sbbs.ini src/sbbs3/ratelimit.hpp sbbs_ini.c src/sbbs3/scfg/scfgsrvr.c src/sbbs3/websrvr.cpp websrvr.h
    Log Message:
    websrvr: add subnet-aggregated connection rate limiter with auto-filter

    Add a connection rate limiter to the web server, enforced at accept()
    before a session thread or TLS handshake is spawned, complementing the
    existing post-parse request rate limiter. This rejects a connection flood
    at the cheapest possible point and counts connections (e.g. aborted TLS handshakes) that never produce a parseable request.

    Both limiters can now optionally aggregate clients by IPv4/IPv6 subnet
    prefix, so distributed abuse spread thinly across many addresses in a
    hosting provider's range is counted (and filtered) as a single CIDR bucket rather than slipping under per-host-IP limits.

    Repeat offenders that exceed a rate limit RateLimitFilterThreshold times are auto-filtered: the offending IP or subnet (in CIDR notation) is written to ip.can, or ip-silent.can (dropped at accept) when RateLimitFilterSilent, with an optional expiry. The connection and request limiters share one set of auto-filter/subnet settings (each keeps its own independent denial counter).

    New [Web] ini settings, also configurable via SCFG (Web Server Settings ->
    Rate Limiting...): MaxConnectsPerPeriod, ConnectRateLimitPeriod, RateLimitSubnetPrefix4, RateLimitSubnetPrefix6, RateLimitFilterThreshold, RateLimitFilterDuration, RateLimitFilterSilent.

    - ratelimit.hpp: allowRequest() optionally reports a per-key denial count
    (reset when a client goes idle) as an escalation signal for auto-filtering.
    - websrvr.cpp: rate_limit_key() masks a client IP to its subnet CIDR;
    rate_limit_filter() writes abusers to the filter file. Connection limiter
    wired in at accept; request limiter updated to share the same machinery.
    Also include the protocol in the accept-time MAXIMUM CLIENTS log message,
    for consistency with the per-request one.
    - scfg: new "Rate Limiting..." submenu under Web Server Settings, with a
    status summary on the menu line.
    - ctrl/sbbs.ini: document the new [Web] keys (disabled by default).

    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)