views:

82

answers:

2

Hi,

I'm about to implement an RESTful API to our website (based on WCF data services, but that probably does not matter).

All data offered via this API belongs to certain users of my server, so I need to make sure only those users have access to my resources. For this reason, all requests have to be performed with a login/password combination as part of the request.

What's the recommended approach for preventing brute force attacks in this scenario?

I was thinking of logging failed requests denied due to wrong credentials and ignoring requests originating from the same IP after a certain threshold of failed requests has been exceeded. Is this the standard approach, or am I a missing something important?

Thanks,

Adrian

+3  A: 

IP-based blocking on its own is risky due to the number of NAT gateways out there.

You might slow down (tar pit) a client if it makes too many requests quickly; that is, deliberately insert a delay of a couple of seconds before responding. Humans are unlikely to complain, but you've slowed down the bots.

You might also consider installing a CAPTCHA; perhaps require a client to pass a CAPTCHA after one incorrect password attempt.

crazyscot
Hm, how do you want to put CAPTCHA into RESTfull API? AFAIU all clients are not supposed to be human beings.
iPhone beginner
Good point, I must have blinked over the RESTful bit. Tricky.
crazyscot
A captcha is what I am using right now for my regular website. But as Iphone beginner pointed out, that is not an option for a restful api. Tarpitting might be a good idea though.
Adrian Grigore
You could make the tarpitting adaptive? Increase the delay - perhaps exponentially - for successive incorrect requests from the same IP.
crazyscot
Yes, that would probably work. Thanks for your suggestions!
Adrian Grigore
+1  A: 

I would use the same approach as I would with a web site. Keep track of the number of failed login attempts within a certain window -- say allow 3 (or 5 or 15) within some reasonable span, say 15 minutes. If the threshold is exceeded lock the account out and mark the time that the lock out occurred. You might log this event as well. After another suitable period has passed, say an hour, unlock the account (on the next login attempt). Successful logins reset the counters and last lockout time. Note that you never actually attempt a login on a locked out account, you simply return login failed.

This will effectively rate-limit any brute force attack, rendering an attack against a reasonable password very unlikely to succeed. An attacker, using my numbers above would only be able to try 3 (or 5 or 15) times per 1.25hrs. Using your logs you could detect when such an attack were possibly occurring simply by looking for multiple lockouts from the same account on the same day. Since your service is intended to be used by programs, once the program accessing the service has its credentials set properly, it will never experience a login failure unless there is an attack in progress. This would be another indication that an attack might be occurring. Once you know an attack is in process, then you can take further measures to limit access to the offending IPs or involve authorities, if appropriate, and get the attack stopped.

tvanfosson
Wouldn't that make it even easier to launch DOS attacks on user accounts? For example a malvolent competitor of our website might deliberately lock out users by posting wrong passwords. He would not get access to their accounts, but he would succeed in making our website look unreliable. That's why I considered the IP-based approach - an attacker would have to spoof the real user's ip address in order to lock him out.
Adrian Grigore
@Adrian - yes, but that's a different sort of problem. Using an IP-based approach to solve it might make your service actually unreliable as it may be that a user merely forgot to update his script after a password change. In that case, the user can simply wait until the timeout has passed and try again without involving you. Using the logging, you'd still be able to detect a DOS attack and put in an IP block from the malevolent site and, in this sort of case, call in the authorities for sure.
tvanfosson