• Examples (iOS)
• Examples (Java/Android)
• Examples (C++)
Server API Documentation


Since 2.19.0

» Extension Flood Filter

Starting from release 2.19.0 we have introduced a new Extension Flood Filter that provides fine grained control over the packet rate of Extension requests. This can be used to limit the number of calls per second for specific requests and automatically set rules for warning and banning the offending client(s).

It also includes the ability to catch unknown Extension calls (i.e. requests for which there doesn't exist a request handler) and apply auto-ban rules as well.

Under normal circumstances, e.g. users playing with the official client app, there shouldn't be a concern about request spam, since limitations can be easily coded in the client itself. However it's also relatively easy for malicious users to reverse engineer a client made in JavaScript, Unity or Java and bypass such limitations.

NOTE: The Extension Flood Filter is a security tool that limits server spam, and possibly cheating, but it's not itended as DDoS mitigation tool. DDoS attacks can only be defeated with dedicated networking infrastructure and services such as those provided by AWS, Microsoft Azure, Cloudflare and many other hosting or cloud providers.



In the diagram above we show a bird's eye view of the filter and its position in the Extension invocation chain. For each request handler defined in our Extension code (via the addRequestHandler methods) we can provide a limit expressed in number of calls per second.

For example we have defined a playerShoot request handler in our Extension and we've also set a limit of 4 requests/sec. If a client sends 50 calls in one second only the first 4 will be passed to the Extension and processed while the rest will be discarded. Additionally, based on the auto-ban rules, the sender will be either warned or banned.

The Extension Flood Filter is activated via code in the Extension, so let's take a look at how we can set it up.

Setup examples

The Extension Flood Filter is inactive by default. To activate it we need to call the initFloodFilter(...) method, available from the parent SFSExtension class.
	public class AntiFloodTestExtension extends SFSExtension
		static final String PLAYER_SHOOT = "pShoot";
		static final String PLAYER_MOVE = "pMove";
		public void init()
			ExtensionFloodFilterConfig cfg = new ExtensionFloodFilterConfig();
			cfg.banDurationMinutes = 120;
			cfg.maxFloodingAttempts = 3;
			cfg.secondsBeforeBan = 2;
			cfg.banMessage = "You are now banned. Reason: request flooding.";
			cfg.filterRules = Map.of
								PLAYER_SHOOT, 4, 
								PLAYER_MOVE, 15
			addRequestHandler(PLAYER_SHOOT, (sender, param) -> {
			addRequestHandler(PLAYER_MOVE, (sender, param) -> {

The initializer method takes a ExtensionFloodFilterConfig object with the following properties:

Once this is done the filter is up and ready to do its job.

NOTE: when setting up the Extension we recommend to use the approach shown in the example above where each request name is defined as a constant and used to define both handlers and filters. This is to avoid typos that could lead to unexpected behaviors.

Limitations and suggestions