I once checked my Ubuntu server with iftop command and it shows unknown connection, which was keep ing there for a very long time .
How do i secure my websocket (DDP) ? I’m not sure if it related to Mongo as this server also has the Mongodb server.
1 Like
A few things:
-
Check out the documentation on rate limiting here: https://guide.meteor.com/security.html#rate-limiting
-
Another user had a few ideas on this subject here: How to secure DDP?
It would be nice if it was a made a little more clear on how to prevent these things, but I would strongly suggest limiting IP access AND using the built in rate-limiting. 
1 Like
Thank you and i’ll check it later.
I just feel like my site is slow being using Meteor.
But i don’t know how to migrate it to other framework because of the account-package which creates a subscription on app startup and using a lot of dependencies.
1 Like
Is it a feeling? Or is it actually slow?
It could be that your server is compromised?
Do you have monitoring setup?
Maybe hackers mining bitcoin? 
1 Like
Potential sloppy code in a reactive context subscribing way too many times?
1 Like
These are used for version checking and i do no subscription except for the account
1 Like
99% of the time when Meteor is running slow…its really not Meteor that is the issue I hate to say. I would also say that a really good portion of the time the issue resides with pubs/subs. Try and take a look at what you are publishing from the server to the client. If there is data there that is not necessary the first step is to clean that up.
Though I did suggest it (per Meteor Docs) I have never really had a need to use the rate-limiting features of Meteor. Meteor has always run quite fast for me…but then again this is a completely different topic than the original post. I would suggest reading both the Meteor Docs a bit more and perhaps checking out more posts here on the forums. Here are a few things to get you started:
There are countless threads on this topic. I would think you could find the nugget you are looking for somewhere here of the forums or create a new post related to performance. The Meteor community is super active and happy to help!
2 Likes
Thanks for your good opinion.
I’ve been optimizing my app and i use mostly Methods and i create cache for both client and server.
In which 3 servers uses 2 Redis , client uses just some Vue global data.
And i always debug with " Chrome meteor " to measure all the pub/sub, methods and their sizes which are total in my expectation. No duplicate, no big size data ( many datas are around 15kb (above 20 documents) though )
And i have just implemented the Rate limit for all the methods with “3 action / 1 connection / 1 second”.
And hope it will work.
I don’t know if someone is DDoS attacking my site because the domains in the screenshot are still there. But it actually no more large traffic all the time and only up and down. However, it still takes the most big bandwidth on my server.
I want to get rid of that domain but don’t know how to do , I tried the Cloudflare firewall but no result
1 Like
This does sound like DDoS. The DDP rate limiter is not going to be sufficient if your attacker(s) just randomly call your methods and/or subscriptions million times a second. The WebSocket connections will be created nonetheless and that weighs on your CPU. In practice, it is ridiculously simple to DoS Meteor (straight from Chrome’s console). But it’s not the framework’s job to protect you against that. Reverse proxies such as NGINX have good options in that respect.
As a first port of call, I would install sikka ASAP: https://github.com/Akarda/sikka
We actually use its original version in production all the time.
Edit: Galaxy has app protection against DDoS: https://galaxy-guide.meteor.com/protection.html
1 Like
The package has error.
I don’t understand. I have no Meteor code running on the server which got the DDoS .
The server is just a Nginx server running a Load balancer and distributes all the traffics to other 3 servers
Interesting…I have actually had pretty great success using custom CloudFlare Firewall rules. I have not tried the package that @illustreets mentioned but it sure looks to have potential. Who is hosting the app? I wonder if your host also offers server side solutions for preventing a DDOS. Super sorry your going through this…I’ve been there…sucks…