47 lines
2.5 KiB
Org Mode
47 lines
2.5 KiB
Org Mode
|
:PROPERTIES:
|
|||
|
|
:ID: d17e934b-b340-4246-88f0-9b36527100c0
|
|||
|
|
:END:
|
|||
|
|
#+title: Login Throttling
|
|||
|
|
|
|||
|
|
* CAPTCHA Throttling
|
|||
|
|
|
|||
|
|
We have login captcha throttling in place for the following:
|
|||
|
|
| Tracked behavior | CAPTCHA threshold | Time Interval |
|
|||
|
|
|-------------------------------------------------------+-------------------+---------------|
|
|||
|
|
| Repeated unsuccessful attempts with the same username | 3 attempts | 10 minutes |
|
|||
|
|
| Repeated attempts from the same IP address | 3 attempts | 12 hours |
|
|||
|
|
| Repeated attempts using the same Sift ID | 3 attempts | 30 minutes |
|
|||
|
|
| Invalid or missing CSRF token | Immediate | N/A |
|
|||
|
|
| Missing customer cookie | Immediate | N/A |
|
|||
|
|
|
|||
|
|
When a user meets one of the thresholds above, they will be presented with a
|
|||
|
|
CAPTCHA challenge. This does not necessarily mean a puzzle will have to be
|
|||
|
|
solved, only that the CAPTCHA script will attempt to determine if the user is a
|
|||
|
|
bot. Even if the user has correctly entered their credentials on the subsequent
|
|||
|
|
attempt, the CAPTCHA challenge will still occur.
|
|||
|
|
|
|||
|
|
All of the above thresholds are checked concurrently for each login attempt.
|
|||
|
|
|
|||
|
|
When a throttled user logs in successfully, the following occurs, the *username*
|
|||
|
|
threshold is reset. No other thresholds are cleared. This means that even after
|
|||
|
|
a user is able to successfully log in to an account, it is still possible for
|
|||
|
|
them to be throttled after failing to log in again because they are now being
|
|||
|
|
throttled by IP address.
|
|||
|
|
|
|||
|
|
* Sift ID Blocking
|
|||
|
|
During previous login attacks, we've documented a set of Sift IDs that have been
|
|||
|
|
used repeatedly during those attempts. Those IDs are blocked with CAPTCHA
|
|||
|
|
*immediately*, with a 20% chance that we will present them a faked successful
|
|||
|
|
response. This is done to throw off attackers using these IDs.
|
|||
|
|
|
|||
|
|
* Code
|
|||
|
|
All the captcha / throttling logic that’s currently in place lives in
|
|||
|
|
[[https://gitlab.aweber.io/CP/applications/sites/-/blob/master/aweber_app/controllers/account_controller.php][aweber_app/controllers/account_controller.php]], mainly in the =loginAjax= and
|
|||
|
|
=isThrottled= methods. The repeated actions are tracked using
|
|||
|
|
[[https://gitlab.aweber.io/CP/applications/sites/-/blob/master/php5-vendors/vendors/throttler.php][php5-vendors/vendors/throttler.php]], which uses counters in Redis with a TTL
|
|||
|
|
attached.
|
|||
|
|
|
|||
|
|
* Graphs
|
|||
|
|
Login attempts and throttling are graphed in Grafana on the [[https://grafana.aweber.io/d/000000530/account-logins][Account Logins
|
|||
|
|
dashboard]].
|