Reputation: 136339
Is it possible to restrict the CPU / memory usage a Flask request triggers?
I develop backends with flask and I'm currently reading about attacks such as the Billion laughs attack. Although I'm aware of other ways to defend against them, my motivation for this question is defense in depth (take several different defenses in different components - if one gets bypassed, hopefully, others are effective).
One user should not be able to cause a DOS for other users. If I run Flask via gunicorn, I think it generates one thread per request. Is it possible to set hard CPU usage/memory usage limits to those threads?
What I found
From what I found, I guess that it might either be impossible or that I'm looking at the wrong level:
- gunicorn security: Seems only about restricting the headers/payload of the request
- Flask security: Seems only to be about XSS, CSRF, CSP, and various headers
- Flask-Limiter: Rate limiting for flask
I thought that the main process needs to take care of administrating it's threads, but maybe the OS can/has to do that as well?
Upvotes: 4
Views: 2302
Answers (1)
Reputation: 136339
I think I found an answer:
post_worker_init(worker) and resource.setrlimit(resource.RLIMIT_AS, 10 * 2**20). Potentially also resource.RLIMIT_STACK or resource.RLIMIT_HEAP.
Upvotes: 1
Related Questions
- Handle 1000 concurrent requests for Flask/Gunicorn web service
- How to make flask handle 25k request per second like express.js
- Sequential request processing (CPU-heavy processing)
- How can I rate-limit my Flask application per user?
- How many concurrent requests does a single Flask process receive?
- How can I disable threading in Flask?
- Using Flask with CPU-bound requests that need to be parallelized onto multiple cores
- Reducing Flask/Gunicorn request queue
- How to share in memory resources between Flask methods when deploying with Gunicorn
- Make a non-blocking request with requests when running Flask with Gunicorn and Gevent