tags:

views:

82

answers:

2
+5  Q: 

How do you prevent brute force attacks on RESTful data services

Hi,

I'm about to implement an RESTful API to our website (based on WCF data services, but that probably does not matter).

All data offered via this API belongs to certain users of my server, so I need to make sure only those users have access to my resources. For this reason, all requests have to be performed with a login/password combination as part of the request.

What's the recommended approach for preventing brute force attacks in this scenario?

I was thinking of logging failed requests denied due to wrong credentials and ignoring requests originating from the same IP after a certain threshold of failed requests has been exceeded. Is this the standard approach, or am I a missing something important?

Thanks,

Adrian

+3  A: 

IP-based blocking on its own is risky due to the number of NAT gateways out there.

You might slow down (tar pit) a client if it makes too many requests quickly; that is, deliberately insert a delay of a couple of seconds before responding. Humans are unlikely to complain, but you've slowed down the bots.

You might also consider installing a CAPTCHA; perhaps require a client to pass a CAPTCHA after one incorrect password attempt.

crazyscot  2010-06-03 12:13:23
Hm, how do you want to put CAPTCHA into RESTfull API? AFAIU all clients are not supposed to be human beings.
iPhone beginner  2010-06-03 12:17:20
Good point, I must have blinked over the RESTful bit. Tricky.
crazyscot  2010-06-03 12:33:43
A captcha is what I am using right now for my regular website. But as Iphone beginner pointed out, that is not an option for a restful api. Tarpitting might be a good idea though.
Adrian Grigore  2010-06-03 16:21:05
You could make the tarpitting adaptive? Increase the delay - perhaps exponentially - for successive incorrect requests from the same IP.
crazyscot  2010-06-03 17:24:47
Yes, that would probably work. Thanks for your suggestions!
Adrian Grigore  2010-06-04 07:47:35
+1  A: 

I would use the same approach as I would with a web site. Keep track of the number of failed login attempts within a certain window -- say allow 3 (or 5 or 15) within some reasonable span, say 15 minutes. If the threshold is exceeded lock the account out and mark the time that the lock out occurred. You might log this event as well. After another suitable period has passed, say an hour, unlock the account (on the next login attempt). Successful logins reset the counters and last lockout time. Note that you never actually attempt a login on a locked out account, you simply return login failed.

This will effectively rate-limit any brute force attack, rendering an attack against a reasonable password very unlikely to succeed. An attacker, using my numbers above would only be able to try 3 (or 5 or 15) times per 1.25hrs. Using your logs you could detect when such an attack were possibly occurring simply by looking for multiple lockouts from the same account on the same day. Since your service is intended to be used by programs, once the program accessing the service has its credentials set properly, it will never experience a login failure unless there is an attack in progress. This would be another indication that an attack might be occurring. Once you know an attack is in process, then you can take further measures to limit access to the offending IPs or involve authorities, if appropriate, and get the attack stopped.

tvanfosson  2010-06-03 12:24:56
Wouldn't that make it even easier to launch DOS attacks on user accounts? For example a malvolent competitor of our website might deliberately lock out users by posting wrong passwords. He would not get access to their accounts, but he would succeed in making our website look unreliable. That's why I considered the IP-based approach - an attacker would have to spoof the real user's ip address in order to lock him out.
Adrian Grigore  2010-06-03 16:25:18
@Adrian - yes, but that's a different sort of problem. Using an IP-based approach to solve it might make your service actually unreliable as it may be that a user merely forgot to update his script after a password change. In that case, the user can simply wait until the timeout has passed and try again without involving you. Using the logging, you'd still be able to detect a DOS attack and put in an IP block from the malevolent site and, in this sort of case, call in the authorities for sure.
tvanfosson  2010-06-03 17:08:16

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication