Rocket.chat: Spamming/Flooding will crash the server quite easily.
Is there anyway we can prevent this from happening?
Expected behavior:
Do not allow users to spam.
Actual behavior:
Spamming is done quite easily and can crash a server.
With no easy way to see IP addresses, mass delete message, mass delete users, prevent spamming and flooding. The basic fundamentals of preventing exploits like this are not there.
Yet, we are seeing many nice features continue to be supported and added giving even more tools for the troublemakers to have their way. Some installs have never experienced this in their life because they don't encounter the situation (maybe only use their rocket.chat for office environments) but that doesn't make them immune to such harm in the future. (from let's say a disgruntled employee)
WebSavvyDude
All 3 comments
@WebSavvyGuy thanks for the report. We do have a setting for controlling the number of times per second a user can call each method on the server, but I guess the defaults are too high, we should lower them. Regarding mass deletion of messages, the easy way to do it, is deleting the original user, and the system will delete all its messages together.
I'll ask the team to look into your other recommendations and give you some feedback on how we can implement them.
engelgabriel
on 24 Oct 2017
Alot of our problems are coming from "anonymous" users. It is definitely a nice feature to have and hope anonymous user is not removed, but it also allows the bad apples to come out.
Deleting the user doesn't help because by the time we get to that stage, the server will have already been crashed and their job is done.
@engelgabriel
One thing I would like to see and i think alot of your application users would concur, as i've seen the issue raised many times in the past, is the ability to click/highlight a users name (as Administrator) and see the IP addresses of the user. Then we can report them to the authorities and handle them internally by blocking them from accessing our server. That would solve a lot of issues.
WebSavvyDude
on 24 Oct 2017
Hi @WebSavvyDude
in the meantime we have implemented various rate limiting features in RC, which you can set on IP and user level. This should prevent user spamming.
makibras
on 5 Sep 2019
Related issues
Buzzele
路
3Comments
sta-szek
路
3Comments
mddvul22
路
3Comments
tanc
路
3Comments
djeber
路
3Comments
Most helpful comment
Alot of our problems are coming from "anonymous" users. It is definitely a nice feature to have and hope anonymous user is not removed, but it also allows the bad apples to come out.
Deleting the user doesn't help because by the time we get to that stage, the server will have already been crashed and their job is done.
@engelgabriel
One thing I would like to see and i think alot of your application users would concur, as i've seen the issue raised many times in the past, is the ability to click/highlight a users name (as Administrator) and see the IP addresses of the user. Then we can report them to the authorities and handle them internally by blocking them from accessing our server. That would solve a lot of issues.