[keycloak-dev] Brute force attack protection
Bill Burke
bburke at redhat.com
Mon Mar 17 09:06:39 EDT 2014
On 3/17/2014 5:38 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Friday, 14 March, 2014 10:01:47 PM
>> Subject: Re: [keycloak-dev] Brute force attack protection
>>
>> Ugh, seems that Captchas are easily broken too and also cause as much as
>> 10% loss in leads/users. I've seen suggestions of a combination of IP
>> Address whitelists and blacklists per user and cross user.
>>
>>
>> 1. If a user successfully logs in, add their IP address to the user's
>> whitelist.
>> 2. After X failed login attempts per user, set the User's notBefore to
>> incrementally higher times on multiple failures. The notBefore check is
>> ignored for IP address on the user's whitelist.
>>
>> The problem I see with this approach is that the attacker's IP might be
>> on the whitelist because of a proxy. There's also the problem with a
>> Gateway/Proxy screwing up the Server's idea of what the client IP is. I
>> know a Gateway/Proxy can set headers like "HTTP_X_FORWARDED_FOR". I'm
>> wondering if you can trust the Gateway/Proxy to remove
>> "HTTP_X_FORWARDED_FOR" headers sent by the client itself.
>
> Wouldn't a blacklist be better? If a user fails to login from a certain IP address N times add the IP to a blacklist?
>
> I can see a few issues with a whitelist:
>
> * Shared IP/NAT
> * Public networks (anyone at a Starbucks is on the whitelist)
> * Dynamic IP addresses (home broadband)
>
Did a bit more research.
Blacklist has the same issues as a whitelist. What I think I'm going to
do is if there is a failure, wait to respond to the client for N
seconds. This let's successful logins immediately, but delays responses
from a failure. I'll also automatically wait N number of seconds if the
last failure was not that far back. (1 secs? 2 secs?)
This could cause a DoS, but could be mitigated greatly if we used Async
HTTP. Unfortunately, I believe EAP has a race condition with Async
HTTP. Need to find out if it was fixed.
We'll also keep a log of failures by IP that can be displayed in the
admin console. Allow the admin to create blacklists/whitelists. Allow
the admin to specify if headers like "X-Forwarded-For" can be trusted.
Allow admins to set up blocks/warnings by country IP.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list