Kadira - Performance Monitoring for Meteor (you should try this)

Introducing Sikka: A Firewall for Meteor Apps

Just like any other web app, Meteor is also vulnerable to most of the security issues on the web. Since Meteor does not use cookies and because it uses WebSockets for everything, you don’t need to worry about XSRF attacks. Meteor also comes with easy ways to fight XSS with its browser policy package.

But, it’s not immune to DOS and DOS-like attacks. Due to Meteor’s WebSocket usage, it’s super easy for someone to invoke a DOS attack against a Meteor app. For this, the attacker doesn’t need to use sophisticated tools or techniques.

Let me show you how to invoke such a DOS attack just using a web browser.

I am not going to include any code for these attacks. Please don’t try these attacks on other people’s apps. It’s illegal.

Ooops! This is super bad.

Yes, it is. This is not only a common issue for Meteor, but for any app built with WebSockets. So, how can we fix this?

Introducing Sikka

Sikka is an application-layer firewall for Meteor. We are releasing the first version of Sikka with support for rate limiting and human (captcha) verification.

You can block DOS attacks by simply adding Sikka into your app. Once someone invokes a DOS attack, their IP is banned and Sikka will challenge them with a captcha as shown below:
(which allows legitimate users from that IP to browse your app as normal):

Sikka - A Firewall for Meteor Apps

Check out this demo:

We’ve tested Sikka with plenty of Meteor deployment options and it works pretty well. Add Sikka to your app and protect it from potential attacks.

It doesn’t take 5 minutes to add and configure Sikka. Check out our docs.

The Future

This is just our first release. We have a list of features for detecting various kinds of Meteor-related threats and anomalies. We’ll add them as we go.

We are also looking to integrate both Kadira and Cloudflare with Sikka. Then you will be able to see a list of potential threats in Kadira and click a button to ban that IP directly from Cloudflare. You’ll be able to add rules to ban IPs automatically.

We expect to release the Kadira/Cloudflare integration before the end of this year or sooner. Stay tuned!