2

If you look at the answer by Casey Chu (answered Nov30'10) in this question : How do you extract POST data in Node.js?

You will see that he is responding to 'data' events , to construct the body of the request. Reproducing code here:

var qs = require('querystring');

function (request, response) {
    if (request.method == 'POST') {
        var body = '';
        request.on('data', function (data) {
            body += data;

            // Too much POST data, kill the connection!
            if (body.length > 1e6)
                request.connection.destroy();
        });
        request.on('end', function () {
            var post = qs.parse(body);

            // use post['blah'], etc.
        });
    }
}

Suppose I don't care about POST requests, and hence never check if a request is POST or create a 'data' event handler, is there a risk that someone can block my thread by sending a really large post request ? For example, instead of the above code, what if I just did:

function hearStory(request, response) {
    response.writeHead(200, {"Content-Type": "text/plain"});
    response.write("Cool story bro!");
    response.end();
}

What happens to really large POST requests then ? Does the server just ignore the body ? Is there any risk to this approach ? Get requests including their headers must be less that 80kB, so it seems like a simple way to avoid flooding my server.

Community
  • 1
  • 1
Rahul Iyer
  • 19,924
  • 21
  • 96
  • 190

1 Answers1

0

Hopefully these kinds of attacks can be detected and averted before it ever gets to your server via a firewall or something else. You shouldn't handle DOS attacks with the server itself. However, if they've gotten to your server with malicious intent, there needs to be a way to handle it. If you intend on handling POST requests, the code you're referring will help.

You could, if you just want to avoid POST requests all together and not listen for them, as is demonstrated by the second code snippet, do something like the following. 

function denyPost(req, res) {
    if (request.method == 'POST') {
        console.log('POST denied...'); // this is optional.
        request.connection.destroy(); // this kills the connection.
    }
}

Of course, this wont work if you plan on handling post requests somehow. But again, DOS attacks need to be handled before they ever get to your server. If they've gotten there, they've already won.

enolam
  • 221
  • 1
  • 6