npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

dostroy

v3.0.0

Published

Node.js middleware for DoS-prevention

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

helenaalinderhelenaalinderjosefinnilssonjosefinnilsson

Keywords

Readme

dostroy

Node.js middleware for DoS-prevention.

Project Members

Josefin Nilsson ([email protected]) Helena Alinder ([email protected]) Samuel Hertzberg ([email protected]) Martin Hyberg ([email protected])

Running

Install package:

npm install dostroy

Example usage to handle malicious requests from remote addresses to a Node.js server:

const express = require('express')
const dostroy = require('dostroy')
const app = express()

config = {
  rateLimiting: true,
  dynamicRateLimiting: true,
  userActiveTimeout: 10000,
  requestLimit: 10,
  requestInterval: 10000,
  rudy: true
}

const server = app.listen(3000)
const dostroyConfig = dostroy.init(server, config)
app.use(dostroy.protect(dostroyConfig))

... end of server ...

app.use(dostroy.errorHandler)

Config

dostroy allows for some degree of configuration. The individual mitigations can be turned on or off and have their thresholds set. If no config is passed, dostroy will employ all mitigations with standard values.

config = {
  slowloris: boolean,
  rateLimiter: boolean,
  rudy: boolean,
  rudyTimeout: int,
  dynamicRateLimiting: boolean,
  userActiveTimeout: int,
  requestLimit: int,
  requestInterval: int, 
  logging: boolean,
  headerTimeout: int,
}
slowloris

Whether dostroy should mitigate the slowloris attack. Default: false

rateLimiter

Whether dostroy should employ rate limiting, and mitigate possible flood attacks. Default: false

rudy

Whether dostroy should mitigate the R.U.D.Y attack. Default: false

rudyTimeout:

The timeout in milliseconds (between each chunk) when transmitting the body. If the timeout is exceeded the connection is dropped. Default: false

dynamicRateLimiting

Regular rate limiting but the upper limit is a dynamic limit depending on the number of currently active users. Default: false

userActiveTimeout:

For how long the clients remain active in milliseconds. See dynamicRateLimiting. Default: 30000ms

requestLimit:

If dynamicRateLimiting is off: The limit to how many requests each host can send each 'requestInterval'. See requestInterval. If dynamicRateLimiting is on: The total capacity of request per 'requestInterval' for the entire server. Default: 100

requestInterval:

Is used to measure how many requests a user is sending. "Amounts of requests per requestInterval" Default: 10000

logging

Should logging be enabled? Default: false

headerTimeout

The timeout in milliseconds when transmitting the header. If the timeout is exceeded the connection is dropped. Default: 1000

The Mitigations

dostroy employs several techniques to mitigate different attacks. Here are the attacks dostroy aims to mitigate.

Flooding attack

Rate limiting is useful for many things but is especially convenient to counter a flooding attack. If a host exceeds the allowed numbers of request for a certain time period, any requests from the hosts IP will be dropped for the remainder of that period. The limit which the host might exceed can be set in one of two ways. A static limit or a dynamic limit. The static limit is a fixed number unchanged throughout the runtime of the server. The dynamic limit is changed depending on how many active users there are. The total resources are split equally across all users. So if the server can handle 100 connections/second and there are 5 active users, the limit of requests per second for each user is 20.

Slowloris attack

The slowloris attack sends the request header very slowly to bind a connection to the server. To mitigate a slowloris attack dostroy sets timeouts for transmitting the entire header. The timeout limit is configurable.

R.U.D.Y attack

The R.U.D.Y (R-U-DEAD-YET?) attack sends the request body very slowly to bind a connection to the server. To mitigate a R.U.D.Y attack, dostroy sets a timeout between each chunk when transmitting the body. The timeout limit is configurable.