Introducing Sikka: A Firewall for Meteor Apps


#1

Hi Guys,

Today we released Sikka. It’s a Firewall for Meteor.
Why we need something like that? Here’s the reason!

It’s possible to take down a Meteor app by just using a browser console.
Check this video: https://www.youtube.com/watch?v=S0SExEI57oI

That’s where Sikka is going help us. It’ll protect your app from such kind of attacks.
Just add Sikka into your app. This is just the first version, we’ve a lot more to come.

Follow this article for More Info: Introducing Sikka - A Firewall for Meteor Apps

Hope you like this.


#2

You are awesome thank you so much Arunoda! Meteor’s Most Valuable Programmer.


#3

It’s quite scary how easy it is to bring down a Node instance.
Great package, though.


#4

Looks like i have no choice. Should this kind of protection be built into Meteor’s core?


#5

Check here: https://trello.com/c/SYcbkS3q/18-dos-hardening-rate-limiting


#6

I really want to try it out right now! Where is my macbook?!


#7

We need StartDos too (-:
For testing (((-:
And can I integrate Sikka into my design?


#8

ha ha. StartDOS is proprietary :smiley:


#9

If I’m using only server methods, will Sikka be useful?


#10

You mean, no one from outside can access your app?
If so, Sikka is less useful.

If your app is open to the public. Yes, you need Sikka.


#11

Haha yeah we need a DDos Function in the meteor core to shut down competing apps :smiley:


#12

I mean, what user can’t do in console Product.insert()


#13

It doesn’t matter. In this case, I’m targeting a Meteor method. Likewise we can target any publication and so on.
Every meteor app needs some kind of protection like this.


#14

Thanks, it’s clear now


#15

Just goes to show if MDG doesn’t build something, Arunoda will.

For reference, the big long thread that probably started this: https://groups.google.com/forum/#!topic/meteor-talk/XyYhi8ZMgd8


#16

Hi Arunoda,

Found a typo in the github readme page:

If you look at the tables where the Meteor.settings.keys are, there are two “sikka.times.blockIpFor”, one for the environment var SIKKA_BLOCK_IP_FOR_MILLIS, and the other SIKKA_PER_HUMAN_MAX_RPS.


#17

Thanks @powderkeg
I’ll fix it.


#18

Introducing Sikka says

This is just our first release. We have a list of features for detecting various kinds of Meteor-related threats and anomalies. We’ll add them as we go.

We are also looking to integrate both Kadira and Cloudflare with Sikka. Then you will be able to see a list of potential threats in Kadira and click a button to ban that IP directly from Cloudflare. You’ll be able to add rules to ban IPs automatically.

We expect to release the Kadira/Cloudflare integration before the end of this year or sooner. Stay tuned!

The latest commit on github is from 27th Mar15 + 28 open issues…
So, is this proj no more in development?


#19

I would also like to know what happened to this project and future integrations with Kadira, which sound pretty cool. Also I gues that with DDPRateLimiter a lot of features could be reimplemented easier and in a less hacky way.
@arunoda :slight_smile:


#20

@arunoda ,
Wondering if you can help me out, I get this error while using sikka:

This is the settings I use

"sikka": {
      "captcha": {
        "siteKey": "something",
        "secret": "something"
      },
      "rateLimits": {
        "perIp": 20,
        "perHuman": 20,
        "perSession": 20
      },
      "times": {
        "blockIpFor": 120000,
        "humanLivesUpto": 3600000
      },
      "onlyForHumans": true
    }

Any Idea why this happens?

PS. I got new keys from google, still no luck.