Introducing Sikka: A Firewall for Meteor Apps

Hi Guys,

Today we released Sikka. It’s a Firewall for Meteor.
Why we need something like that? Here’s the reason!

It’s possible to take down a Meteor app by just using a browser console.
Check this video: https://www.youtube.com/watch?v=S0SExEI57oI

That’s where Sikka is going help us. It’ll protect your app from such kind of attacks.
Just add Sikka into your app. This is just the first version, we’ve a lot more to come.

Follow this article for More Info: Introducing Sikka - A Firewall for Meteor Apps

Hope you like this.

12 Likes

You are awesome thank you so much Arunoda! Meteor’s Most Valuable Programmer.

It’s quite scary how easy it is to bring down a Node instance.
Great package, though.

Looks like i have no choice. Should this kind of protection be built into Meteor’s core?

Check here: https://trello.com/c/SYcbkS3q/18-dos-hardening-rate-limiting

1 Like

I really want to try it out right now! Where is my macbook?!

We need StartDos too (-:
For testing (((-:
And can I integrate Sikka into my design?

ha ha. StartDOS is proprietary :smiley:

1 Like

If I’m using only server methods, will Sikka be useful?

You mean, no one from outside can access your app?
If so, Sikka is less useful.

If your app is open to the public. Yes, you need Sikka.

Haha yeah we need a DDos Function in the meteor core to shut down competing apps :smiley:

I mean, what user can’t do in console Product.insert()

It doesn’t matter. In this case, I’m targeting a Meteor method. Likewise we can target any publication and so on.
Every meteor app needs some kind of protection like this.

Thanks, it’s clear now

1 Like

Just goes to show if MDG doesn’t build something, Arunoda will.

For reference, the big long thread that probably started this: https://groups.google.com/forum/#!topic/meteor-talk/XyYhi8ZMgd8

Hi Arunoda,

Found a typo in the github readme page:

If you look at the tables where the Meteor.settings.keys are, there are two “sikka.times.blockIpFor”, one for the environment var SIKKA_BLOCK_IP_FOR_MILLIS, and the other SIKKA_PER_HUMAN_MAX_RPS.

Thanks @powderkeg
I’ll fix it.

Introducing Sikka says

This is just our first release. We have a list of features for detecting various kinds of Meteor-related threats and anomalies. We’ll add them as we go.

We are also looking to integrate both Kadira and Cloudflare with Sikka. Then you will be able to see a list of potential threats in Kadira and click a button to ban that IP directly from Cloudflare. You’ll be able to add rules to ban IPs automatically.

We expect to release the Kadira/Cloudflare integration before the end of this year or sooner. Stay tuned!

The latest commit on github is from 27th Mar15 + 28 open issues…
So, is this proj no more in development?

2 Likes

I would also like to know what happened to this project and future integrations with Kadira, which sound pretty cool. Also I gues that with DDPRateLimiter a lot of features could be reimplemented easier and in a less hacky way.
@arunoda :slight_smile:

@arunoda ,
Wondering if you can help me out, I get this error while using sikka:

This is the settings I use

"sikka": {
      "captcha": {
        "siteKey": "something",
        "secret": "something"
      },
      "rateLimits": {
        "perIp": 20,
        "perHuman": 20,
        "perSession": 20
      },
      "times": {
        "blockIpFor": 120000,
        "humanLivesUpto": 3600000
      },
      "onlyForHumans": true
    }

Any Idea why this happens?

PS. I got new keys from google, still no luck.