[urgent] getfiles/fileupload spam breaching limits
Hello all, I require some urgent help... i recently saw a spike in my billing of over $500 in less than a day.
Checking the data, it seems as an attacker is abusing get files and upload files..
I've since limited user files to 0 and banned the IP..
It also seems the person is spam creating accounts too from different IPs.
I've attempted to disable those api methods using PlayFabAdminAPI.UpdatePolicy:
private void UpdateApiPolicy()
{
PlayFabAdminAPI.UpdatePolicy(new UpdatePolicyRequest()
{
PolicyVersion = version,
PolicyName = "ApiPolicy",
OverwritePolicy = false, // Append to existing policy. Set to True, to overwrite.
Statements = new List<PermissionStatement>() {
new PermissionStatement() {
Action = "*", // Statement effects Execute action
ApiConditions = new ApiCondition() {
HasSignatureOrEncryption = Conditionals.False // Require no RSA encrypted payload or signed headers
},
Comment = "Do not allow get files",
Resource = "pfrn:api--/Client/GetFiles", // Resource name
Effect = EffectType.Deny, // Do not allow,
Principal = "*"
}
}
}, result => {
FetchApiPolicy();
}, error => Debug.LogError(error.GenerateErrorReport()));
}
It seems to execute properly and return the policy that I set, however, when i run
PlayFabDataAPI.GetFiles
It still seems to work.. id assume it should return an error?
Could somebody reach out to me to discuss my options here please?
Best Answer
API policy won't be applied to Entity API, if you want to limit the access of Entity File, please try modify the Entity Policy. Please navigate to [Game Manager] -> [Title Settings] -> [API Features] and edit the Entity Global Title Policy.
Search for the File related resource -- "pfrn:data--*!*/Profile/Files/*", modify or add as the following:
{
"Action": "*",
"Effect": "Deny",
"Resource": "pfrn:data--*!*/Profile/Files/*",
"Principal": "*",
"Comment": "deny read/write files",
"Condition": null
},
How long does it take to go into effect, 5 minutes later and I can still call get files, pretty confident I added it to the EntityGlobalPolicy correctly.
It should take effect very soon. Have you checked "file" related entry in the existing list? What is your title ID? I will take a look.
Hello, I can confirm it had no effect. Im still able to successfully call GetFiles.
My titleid is: DF3EF
I'd also like to know how to limit getcatalogueitems, I see no limits for it and I can't block it outright as itd negatively affect good players.
Or is my only option there to block the calling playfabid?
Have you checked the callback result? Are Entity Files listed in the response? If the policy works, it will be blank in "Metadata" property.
I don't think it is necessary to limit GetCatalogItems API because in the common scenario the client should get the data and cache locally for later reference because Catalog items won't change frequently. It will be fine to simply define client logic to reduce the frequency.
Please note that Entity Policy and API Policy is separate and independent. To restrict classic PlayFab API, please refer to API Access Policy - PlayFab | Microsoft Docs.
