Preventing flooding/DOS attacks in Java/AMF app

I'm working on the Java backend for a Flash webgame - the client and server communicate using Action Message Format (AMF). A few weeks ago, another team in our company had their product hacked by a user who decompiled the Flash client, and used an altered version to flood the backend with bogus requests. We want to prevent this kind of attack in our new game.

(More details: webserver used is Tomcat, AMF client is BlazeDS.)

I'd like to know what the best way to prevent this kind of attack would be. Some ideas I had:

• the nginx configuration seemed like the best place to handle rate limiting, but I cant find any resources on how nginx interacts with AMF. Do the开发者_运维百科 AMF requests just get sent straight to Tomcat?

• most requests involve a userId param for the relevant user. Rate-limiting requests involving overused userIds might be one approach - however, an attacker who just wants to flood the server could easily spam random userIds.

• doing the same as above but using IP addresses in place of userIds could work. However, I can't tell if it's possible to get the IP address from an AMF request.

Your Java application should pass unique identifier to the firewall of host operating system and block that client. With this action you would be able to prevent your application from working on things that it isn't supposed to do (being a firewall).