#Spring Cloud Gateway DOS protection

I have a simple DOS attack implementation that opens ssl connections, keeps them opened forever and sends a lot of data through them. My Spring app RAM was consumed very fast. I implemented this protection:

@Bean
public NettyServerCustomizer floodProtectionServerCustomizer() {
    return httpServer -> httpServer
            .option(ChannelOption.SO_RCVBUF, BYTES)
            .option(ChannelOption.SO_SNDBUF, BYTES)
            .doOnConnection(conn -> {
                conn.channel()
                        .pipeline()
                        .addFirst(new ReadTimeoutHandler(5, TimeUnit.SECONDS));

                conn.channel()
                        .pipeline()
                        .addFirst(new FloodDetector());
            });

}

@ChannelHandler.Sharable
static class FloodDetector extends ChannelInboundHandlerAdapter {
    private final LongAdder bytesRead = new LongAdder();

    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) {
        if (msg instanceof ByteBuf buf) {
            bytesRead.add(buf.readableBytes());
            if (bytesRead.sum() > BYTES) {
                ctx.channel().close();
                ReferenceCountUtil.release(msg);
                return;
            }
        }
        ctx.fireChannelRead(msg);
    }

    @Override
    public void channelInactive(ChannelHandlerContext ctx) {
        bytesRead.reset();
        ctx.fireChannelInactive();
    }
}

It worked, but I'm not sure this is a very good approach. Is it a good solution?

Detected code, here are some useful tools:

<@&1004656351647117403> please have a look, thanks.

Add a rate limit on the speed user can send, and add a limit to the size you can receive total.

Add a timeout on the connection.

Rate limiting doesn't really help since Spring still handles all connections and send 429. What about size, I haven't found a way to specify a size a socket can receive. Tried some Netty configs, it didn't help

Timeout also didn't help, maybe I misconfigured it

I'll send my application.yaml

spring:
  application:
    name: gateway
  cloud:
    gateway:
      server:
        webflux:
          routes:
            - id: spring
              uri: http://localhost:8080
              predicates:
                - Path=/**
              filters:
                - name: RequestRateLimiter
                  args:
                    key-resolver: '#{@ipKeyResolver}'
                    redis-rate-limiter.replenishRate: 20
                    redis-rate-limiter.burstCapacity: 40
                    redis-rate-limiter.requestTokens: 1
          default-filters:
            - name: RequestRateLimiter
              args:
                key-resolver: '#{@ipKeyResolver}'
                redis-rate-limiter.replenishRate: 5
                redis-rate-limiter.burstCapacity: 10
  data:
    redis:
      lettuce:
        pool:
          enabled: true
          max-wait: 5000
      host: localhost
      port: 6379
  http:
    codecs:
      max-in-memory-size: 32KB
server:
  ssl:
    key-store-type: PKCS12
    key-store: classpath:/keystore.p12
    key-alias: spring-https
    key-store-password: changeit
    enabled: true
  port: 443
  netty:
    connection-timeout: 5000

  reactive:
    session:
      timeout: 30s
  servlet:
    session:
      timeout: 30s
resilience4j:
  circuitbreaker:
    instances:
      backendCircuitBreaker:
        sliding-window-size: 10
        failure-rate-threshold: 50
        wait-duration-in-open-state: 30s
        automatic-transition-from-open-to-half-open-enabled: true
logging:
  level:
    io.netty.util.ResourceLeakDetector: info

Detected code, here are some useful tools:

@proud topaz

Dump