ImageGen Basic seems like it opens site to DOS attack vulnerability?
I understand that if you purchase the Pro version, you can adjust the configuration to avoid this. But the availability of the Basic version seems dangerous in that anyone can request any of your images at a ridiculous dimension, and the script will dutifully churn away and return it.
For example, I tried requesting one of my site images at 15,000 x 15,000 pixels, which resulted in delivery of an almost 10MB graphic (for just this one example) and caused both CPU and RAM to spike for almost 30 seconds. It seems like someone who wanted to take my site down could set up an attack on the server requesting successively different sizes of a single graphic, defeating its ability to be cached and killing the server's CPU and RAM in the process. (And filling up the cache/disk space too I guess.)
I didn't want to run too many more tests on this since we have some other live sites on this server, hence my question here in this forum to see if this really is a legitimate concern or not, or if anyone else has run into any problems with this. I understand the need to sell a "Pro" version in order to support the development of the "Basic" version too, but perhaps some kind of safety mechnism might be warranted for consideration in a future version to protect the "Basic" users' sites?
That's certainly a possibility, though of the tens of thousands of installations I've never heard of it happening in practice. Sites appropriate for the basic version aren't likely candidates for a DOS attack and the Pro version has abilities to combat the threat.
I'll think about the reasonablness of applying a hard-coded maxWidth and maxHeight (2048px?) in the basic version.
ImageGen Basic seems like it opens site to DOS attack vulnerability?
I understand that if you purchase the Pro version, you can adjust the configuration to avoid this. But the availability of the Basic version seems dangerous in that anyone can request any of your images at a ridiculous dimension, and the script will dutifully churn away and return it.
For example, I tried requesting one of my site images at 15,000 x 15,000 pixels, which resulted in delivery of an almost 10MB graphic (for just this one example) and caused both CPU and RAM to spike for almost 30 seconds. It seems like someone who wanted to take my site down could set up an attack on the server requesting successively different sizes of a single graphic, defeating its ability to be cached and killing the server's CPU and RAM in the process. (And filling up the cache/disk space too I guess.)
I didn't want to run too many more tests on this since we have some other live sites on this server, hence my question here in this forum to see if this really is a legitimate concern or not, or if anyone else has run into any problems with this. I understand the need to sell a "Pro" version in order to support the development of the "Basic" version too, but perhaps some kind of safety mechnism might be warranted for consideration in a future version to protect the "Basic" users' sites?
Thank you for your time and consideration!
That's certainly a possibility, though of the tens of thousands of installations I've never heard of it happening in practice. Sites appropriate for the basic version aren't likely candidates for a DOS attack and the Pro version has abilities to combat the threat.
I'll think about the reasonablness of applying a hard-coded maxWidth and maxHeight (2048px?) in the basic version.
cheers,
doug.
is working on a reply...