summer raft
Hey, we are getting DDOS'd / tested by bots and are using the @nestjs/throttler.
Throttler works well for known routes, however the bots are hitting api routes that don't exist, and throttler is not working for those cases.
Requests to not existing routes are currently getting caught in our global exception filter, but its a lot, as we have 40k requests to eg. /wp-admin and many other routes that don't exist.
Is there a better way to handle this, eg rateLimit via IP etc
cursive elk
You might be able to setup some sort of middleware that runs on known spam routes, or possibly a load balancer/reverse-proxy to handle rejecting the requests before they get to your server
summer raft
thanks @cursive elk
How can I think about the middleware? Like pass it an array of known routes, then add it as first place in the middleware stack before the auth?
cursive elk
Middleware always happens before enhancers, so it'd be easy enough to make sure it happens before any authentication. And I believe that you can do app.use(arrayOfRoutes, rateLimiter)