Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When I login with bad credentials, I should get a randomly delayed response #81

Closed
jazeee opened this issue Jun 11, 2015 · 4 comments · Fixed by #83
Closed

When I login with bad credentials, I should get a randomly delayed response #81

jazeee opened this issue Jun 11, 2015 · 4 comments · Fixed by #83

Comments

@jazeee
Copy link
Contributor

jazeee commented Jun 11, 2015

As a hacker, I may try to dictionary attack the rest server to find user names, emails, and/or passwords.
When I do, the system should make it hard for me to do so by delaying the response.

On authentication failure, the system should delay by a random amount of time, so that I cannot measure the time and determine algorithm factors based on that time.

In addition, when I request data from an authentication protected ReST path, and I use bad token, the system should delay its response in the same way.

See Prevent Brute-Force Attacks: https://www.owasp.org/index.php/Authentication_Cheat_Sheet for other ideas.

I suspect that the system would be fine if it slowed down the response between 0.5 and 5 seconds per failed request. The system should capture how many failed attempts occurred and increase the delay as the count increases.

I'll look at some code that may help.
@jazeee
Copy link
Contributor Author

jazeee commented Jun 11, 2015

I think that I'd put some protection in route.coffee
_respond could check for status code of 401, and add some delays.
A minimal random delay between 500 and 1000 msec would probably be a simple first start.

jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 11, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
096f7a8 
This is an initial temporary fix for kahmali#81
The system should delay responses when unauthorized requests are made. Hackers should have some impediment.
This is not a great fix, since hackers could parallelize their requests.
@kahmali
Copy link
Owner

kahmali commented Jun 11, 2015

This would be a nice update. What would be even better is to build that functionality as a JsonRoutes middleware package, and then update Restivus to allow plugging middleware in (should be pretty easy in 0.7.0, since we use simple:json-routes). That way the functionality could also be used in simple:rest-accounts-password, if @stubailo thinks it's worth supporting there.

I'm thinking it could exist as error middleware, where you could pass a delay property on the next({}) error object (in milliseconds), which would just do the delay and then pass the error through to the next error middleware. That way it could be used for more than just failed password delays. Heck, if someone sees value in delaying for anything else other than errors, it could just be a piece of normal middleware.

Another layer of middleware could then be added that would check for 401s and then generate delayed errors with a random value, as you suggested.

@jazeee
Copy link
Contributor Author

jazeee commented Jun 11, 2015

Ideally, the system should lock out multiple failed requests from an IP source, and lock out multiple failed requests for a particular user, for a set period.

This would require some rework since the authentication code is synchronous.

@jazeee
Copy link
Contributor Author

jazeee commented Jun 11, 2015

Ahh, interesting. I'll think about the middleware path.
I put in a quick fix in my code, but I don't know if that would be worthwhile for the Restivus package. It is quite simple...
Thanks much...

jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 11, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
e1b5e69 
This is an initial temporary fix for kahmali#81
The system should delay responses when unauthorized requests are made. Hackers should have some impediment.
This is not a great fix, since hackers could parallelize their requests.
@jazeee jazeee mentioned this issue Jun 11, 2015
Closed
jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 15, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
a335ca0 
This is an initial temporary fix for kahmali#81
The system should delay responses when unauthorized requests are made. Hackers should have some impediment.
This is not a great fix, since hackers could parallelize their requests.
jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 15, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
cb7559e 
This is an initial temporary fix for kahmali#81
The system should delay responses when unauthorized requests are made. Hackers should have some impediment.
This is not a great fix, since hackers could parallelize their requests.

- Resolve kahmali#81
@jazeee jazeee mentioned this issue Jun 15, 2015
Closed
jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 15, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
f28aaf1 
This is an initial temporary fix for kahmali#81
The system should delay responses when unauthorized requests are made. Hackers should have some impediment.
This is not a great fix, since hackers could parallelize their requests.

- Resolve kahmali#81
jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 16, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
cc84421 
 - This is an initial temporary fix for kahmali#81
 - When logging in or accessing a restricted ReST endpoint with invalid credentials,
   the system shall delay before responding.
 - Note that this is not a great fix, since hackers could distribute their requests across CPUs.
 - Resolve kahmali#81
@jazeee jazeee mentioned this issue Jun 16, 2015
Merged
jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 16, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
289265a 
 - This is an initial temporary fix for kahmali#81
 - When logging in or accessing a restricted ReST endpoint with invalid credentials,
   the system shall delay before responding.
 - Note that this is not a great fix, since hackers could distribute their requests across CPUs.
 - Resolve kahmali#81
jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 16, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
bc0db9f 
 - This is an initial temporary fix for kahmali#81
 - When logging in or accessing a restricted ReST endpoint with invalid credentials,
   the system shall delay before responding.
 - Note that this is not a great fix, since hackers could distribute their requests across CPUs.
 - Resolve kahmali#81
jazeee added a commit to jazeee/meteor-restivus that referenced this issue Jun 17, 2015
@jazeee
Add delay when accessing unauthorized ReST endpoints
8fe7e6f 
 - When logging in or accessing a restricted ReST endpoint with invalid
   credentials, the system shall delay before responding.
 - Note that this is not a great fix, since hackers could distribute
   their requests across CPUs.
 - This is an initial temporary fix for kahmali#81
@jazeee jazeee mentioned this issue Jul 1, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add delay when accessing unauthorized ReST endpoints jazeee/meteor-restivus
2 participants
@kahmali @jazeee