CODEWITHSUNDEEP
node.jsexpressconnectionterminateabort
user826955
user826955

Reputation: 3206

How to abort a request with node.js/express?

If a certain condition is met (too many login-attempts) I want to block all further requests for a given IP address. To achieve this, I'm currently looking through the Node.js and express docs, but I fail to find a suitable method which allows me to abort a request. All I could come up with so far is a regular res.status(403).end(), which, however, sends a complete answer on the HTTP level.

Thus, I want to abort the connection already on TCP-level. What I thought about was something like this:

server.on('connection', (sock) => { if (shouldBlock(...) sock.destroy(); });

Would this work out the way I want, or is this bad practice? It seems to work, but I am curious if this would cause any leaks, issues or side effects on other (non-blocked) requests?

Upvotes: 1

Views: 4071

Answers (2)

Huỳnh Tấn Lực
Huỳnh Tấn Lực

Reputation: 45

req.on('aborted', ()=> {
  console.log('Aborted)
})

Reference at: https://github.com/expressjs/multer/issues/259

Upvotes: 0

rsp
rsp

Reputation: 111506

If you want to be annoying for your blocked IPs then you can add a delay to your response with something like:

setTimeout(() => res.status(403).end(), 10000);

But I wouldn't do that for two reasons. First, it is more work for your server than responding immediately. Second, you may be blocking and wasting resources of some proxy servers that may be between you and the client - including your own reverse proxies etc.

For the same reason I would also not recommend silently dropping the connection which could also potentially cause some problems for your own server.

What you can do instead is add rules to your routing tables to drop the connections from certain IP addresses before they even reach your Node server. Remember that if the connections reach your Node applications then even if they get dropped by your app, they still hammer you application and waste your resources.

For example on Linux you can block a certain IP like this:

iptables -A INPUT -s 1.2.3.4 -j DROP

where 1.2.3.4 is the IP address that you want to block.

In Node you can use node-iptables.

I would certainly not recommend storing the blocked IPs in the database and checking it on every request because it would be more work for your server than to serve those requests in the first place. If you do a database for that then make sure it's Redis or some other fast in-memory database.

What you also need to consider is that a lot of times people are behind NAT so for example an entire company or school can use the same IP address. Silently dropping the connection from the entire school because one kid has made too many login attempts would make your service appear broken to anyone else in that school. Such a feature could be used against your server to disable it for certain people on purpose.

Upvotes: 1

Related Questions