put rate limiting behind stac_prevent_connect_spam

sapphonie · Nov 30, 2023 · 746075d · 746075d
1 parent bc850fb
commit 746075d
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 10 deletions.
diff --git a/scripting/stac/stac_client.sp b/scripting/stac/stac_client.sp
@@ -44,20 +44,29 @@ public bool OnClientPreConnectEx(const char[] name, char password[255], const ch
     strcopy(latestIP,       sizeof(latestIP),       ip);
     strcopy(latestSteamID,  sizeof(latestSteamID),  steamID);
 
-    static int threshold = 5;
 
+    if (!stac_prevent_connect_spam.BoolValue)
+    {
+        return true;
+    }
+
+    // TODO: does this need to be higher? or lower? or...?
+    static int threshold = 5;
     int connects;
     IPBuckets.GetValue(ip, connects); // 0 if not present
     connects++;
     if (connects >= threshold)
     {
         rejectReason = "Rate limited.";
 
-
         // BanIdentity(steamID, 60, BANFLAG_AUTHID, "");
         // BanIdentity(ip, 60, BANFLAG_IP, "");
 
-
+        // THE REASON we are doing this, is so that we hook into srcds's built in
+        // "firewall", basically, where with the default game banning system,
+        // srcds will ignore packets from banned ips.
+        // this prevents any clients from spamming, in a way that would otherwise not really be possible,
+        // without stupid memory hacks that would be overcomplicated anyway since this already exists
         if ( CommandExists("sm_banip") && CommandExists("sm_addban") )
         {
             ServerCommand("sm_addban 60 %s %s", steamID,    "Rate limited");
@@ -73,15 +82,21 @@ public bool OnClientPreConnectEx(const char[] name, char password[255], const ch
     }
     IPBuckets.SetValue(ip, connects);
 
-
-    StacLog("-> connects from ip %s %i", ip, connects);
-
+    if (stac_debug.BoolValue)
+    {
+        StacLog("-> connects from ip %s %i", ip, connects);
+    }
 
     return true;
 }
 
 Action LeakIPConnectBucket(Handle timer)
 {
+    if (!stac_prevent_connect_spam.BoolValue)
+    {
+        return Plugin_Continue;
+    }
+
     StringMapSnapshot snap = IPBuckets.Snapshot();
 
     for (int i = 0; i < snap.Length; i++)
@@ -93,11 +108,17 @@ Action LeakIPConnectBucket(Handle timer)
         IPBuckets.GetValue(ip, connects); // 0 if not present per zero-init above
         connects--;
 
-        StacLog("-> connects from ip %s %i", ip, connects);
+        if (stac_debug.BoolValue)
+        {
+            StacLog("(LeakIPConnectBucket) connects from ip %s %i", ip, connects);
+        }
 
         if (connects <= 0)
         {
-            StacLog("-> connects from ip %s %i [ REMOVING ] ", ip, connects);
+            if (stac_debug.BoolValue)
+            {
+                StacLog("-> connects from ip %s %i [ REMOVING ] ", ip, connects);
+            }
 
             IPBuckets.Remove(ip);
             continue;

diff --git a/scripting/stac/stac_cvars.sp b/scripting/stac/stac_cvars.sp
@@ -364,6 +364,21 @@ void initCvars()
         1.0
     );
 
+    // 
+    stac_prevent_connect_spam =
+    AutoExecConfig_CreateConVar
+    (
+        "stac_prevent_connect_spam",
+        "1",
+        "[StAC] (BETA DETECTION) use a \"leaky bucket\" algorithm to prevent the same clients from spamming connect requests to your server. temp bans clients for 60 minutes if they hit the limit.\n\
+        (recommended 1)",
+        FCVAR_NONE,
+        true,
+        0.0,
+        true,
+        1.0
+    );
+
 
     initUsercmdCvars();
     // actually exec the cfg after initing cvars lol

diff --git a/scripting/stac/stac_globals.sp b/scripting/stac/stac_globals.sp
@@ -29,8 +29,7 @@ ConVar stac_fixpingmasking_enabled;
 ConVar stac_silent;
 ConVar stac_max_connections_from_ip;
 ConVar stac_work_with_sv_cheats;
-
-
+ConVar stac_prevent_connect_spam;
 
 /***** Server based stuff *****/