question

Tahir avatar image
Tahir asked

[urgent] getfiles/fileupload spam breaching limits

Hello all, I require some urgent help... i recently saw a spike in my billing of over $500 in less than a day.

Checking the data, it seems as an attacker is abusing get files and upload files..

I've since limited user files to 0 and banned the IP..

It also seems the person is spam creating accounts too from different IPs.

I've attempted to disable those api methods using PlayFabAdminAPI.UpdatePolicy: 

    private void UpdateApiPolicy()
    {
        PlayFabAdminAPI.UpdatePolicy(new UpdatePolicyRequest()
        {
            PolicyVersion = version,
            PolicyName = "ApiPolicy",
            OverwritePolicy = false, // Append to existing policy. Set to True, to overwrite.
            Statements = new List<PermissionStatement>() {
            new PermissionStatement() {
                Action = "*", // Statement effects Execute action
                ApiConditions = new ApiCondition() {
                    HasSignatureOrEncryption = Conditionals.False // Require no RSA encrypted payload or signed headers
                },
                Comment = "Do not allow get files",
                Resource = "pfrn:api--/Client/GetFiles", // Resource name
                Effect = EffectType.Deny, // Do not allow,
                Principal = "*"
            }
        }
        }, result => {
            FetchApiPolicy();
        }, error => Debug.LogError(error.GenerateErrorReport()));
    }

It seems to execute properly and return the policy that I set, however, when i run

   PlayFabDataAPI.GetFiles

It still seems to work.. id assume it should return an error?

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Tahir avatar image Tahir commented ·

Could somebody reach out to me to discuss my options here please?

0 Likes 0 ·

1 Answer

·
Seth Du avatar image
Seth Du answered

API policy won't be applied to Entity API, if you want to limit the access of Entity File, please try modify the Entity Policy. Please navigate to [Game Manager] -> [Title Settings] -> [API Features] and edit the Entity Global Title Policy.

Search for the File related resource -- "pfrn:data--*!*/Profile/Files/*", modify or add as the following:

  {
    "Action": "*",
    "Effect": "Deny",
    "Resource": "pfrn:data--*!*/Profile/Files/*",
    "Principal": "*",
    "Comment": "deny read/write files",
    "Condition": null
  },


4 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Tahir avatar image Tahir commented ·

How long does it take to go into effect, 5 minutes later and I can still call get files, pretty confident I added it to the EntityGlobalPolicy correctly.

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ Tahir commented ·

It should take effect very soon. Have you checked "file" related entry in the existing list? What is your title ID? I will take a look.

0 Likes 0 ·
Tahir avatar image Tahir commented ·

Hello, I can confirm it had no effect. Im still able to successfully call GetFiles.

My titleid is: DF3EF

I'd also like to know how to limit getcatalogueitems, I see no limits for it and I can't block it outright as itd negatively affect good players.

Or is my only option there to block the calling playfabid?

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ Tahir commented ·

Have you checked the callback result? Are Entity Files listed in the response? If the policy works, it will be blank in "Metadata" property.

I don't think it is necessary to limit GetCatalogItems API because in the common scenario the client should get the data and cache locally for later reference because Catalog items won't change frequently. It will be fine to simply define client logic to reduce the frequency.

Please note that Entity Policy and API Policy is separate and independent. To restrict classic PlayFab API, please refer to API Access Policy - PlayFab | Microsoft Docs.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.