8:44 a.m.
Hey guys,
We ran into an issue recently where a customer didn’t have a great understanding of the
OAuth2 authorization process and was submitting many direct grant login requests per
second. They were successfully authenticating each time, so the brute force protection
features don’t apply. It basically ended up being a DOS issue. We also ended up having OOM
issues when trying to query the events for this customer during a scheduled job that we
use to build reports on login events. We’re still running 1.8.2 at the moment, so I’m
wondering if you guys have implemented any kind of rate limiting / DOS prevention that
could have prevented this in one of the later releases? If not, I'm proposing that it
might be worth considering, I could try to contribute something if you like. What do you
guys think?
Thanks,
Cory Snyder
1:42 a.m.
The brute force protection is there only to prevent guessing the password
through a brute force attack. It's not there to stop DOS attacks. We don't
have any rate limiting at the moment and I believe that's something that
would be better introduced with a firewall / intrusion detection system.
It's non-trivial to add, especially with the fact that a single client that
invokes the direct grant login could have thousands of legitimate users. I
don't think a simple implementation would be much value and not replace a
full fledged firewall.
What did you have in mind with regards to requirements? Ability to
configure max number of requests per-client? Per-user?
For the OOM the events endpoints supports pagination as well as date ranges
which should prevent and OOM issue when querying it.
On 2 September 2016 at 15:44, Cory Snyder <csnyder(a)iland.com> wrote:
Hey guys,
We ran into an issue recently where a customer didn’t have a great
understanding of the OAuth2 authorization process and was submitting many
direct grant login requests per second. They were successfully
authenticating each time, so the brute force protection features don’t
apply. It basically ended up being a DOS issue. We also ended up having OOM
issues when trying to query the events for this customer during a scheduled
job that we use to build reports on login events. We’re still running 1.8.2
at the moment, so I’m wondering if you guys have implemented any kind of
rate limiting / DOS prevention that could have prevented this in one of the
later releases? If not, I'm proposing that it might be worth considering, I
could try to contribute something if you like. What do you guys think?
Thanks,
Cory Snyder
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:33 p.m.
I believe it makes sense. The idea of having it on Keycloak is
tempting and challenging. Although, like you mentioned,
this is something that people can solve with Firewalls or IDS.
Implementing a rate limit can be really tricky, because all the common ways
of identifying an adversary can be beaten. For example, configure the max
number of requests per-client wouldn't stop the threat of DoS. People
still can make multiple requests through proxies.
There's an interesting reading on it[1]. In the article, Troy introduces
a rate-limit by IP address. It works, but quoting him "Someone could also
fire up a botnet and hammer it from different IPs all around the globe".
[1] -
https://www.troyhunt.com/the-have-i-been-pwned-api-rate-limiting-and-comm...
On 2016-09-05, Stian Thorgersen wrote:
The brute force protection is there only to prevent guessing the
password
through a brute force attack. It's not there to stop DOS attacks. We don't
have any rate limiting at the moment and I believe that's something that
would be better introduced with a firewall / intrusion detection system.
It's non-trivial to add, especially with the fact that a single client that
invokes the direct grant login could have thousands of legitimate users. I
don't think a simple implementation would be much value and not replace a
full fledged firewall.
What did you have in mind with regards to requirements? Ability to
configure max number of requests per-client? Per-user?
For the OOM the events endpoints supports pagination as well as date ranges
which should prevent and OOM issue when querying it.
On 2 September 2016 at 15:44, Cory Snyder <csnyder(a)iland.com> wrote:
> Hey guys,
>
> We ran into an issue recently where a customer didn’t have a great
> understanding of the OAuth2 authorization process and was submitting many
> direct grant login requests per second. They were successfully
> authenticating each time, so the brute force protection features don’t
> apply. It basically ended up being a DOS issue. We also ended up having OOM
> issues when trying to query the events for this customer during a scheduled
> job that we use to build reports on login events. We’re still running 1.8.2
> at the moment, so I’m wondering if you guys have implemented any kind of
> rate limiting / DOS prevention that could have prevented this in one of the
> later releases? If not, I'm proposing that it might be worth considering, I
> could try to contribute something if you like. What do you guys think?
>
> Thanks,
>
> Cory Snyder
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
8:14 a.m.
Hey Stian,
I agree that we could make something work with a Firewall / intrusion detection system if
it’s decided that this is too complex to add directly to Keycloak.
What I had in mind was a configurable sliding-time window rate limit that would prevent a
client from making too many requests for a particular user in short time frames. E.g.
limit each client to making at most 1 login request within a sliding 5 sec interval for
each user. The 5 sec timespan could be made configurable or even be computed relative to
the token timeout settings.
Perhaps another alternative is to offer an admin alert to ensure that Keycloak admins are
aware of clients that are incorrectly using/abusing the authentication workflow. I guess
it could work the same way as the blocking rate limit, with the exception of the fact that
it would just send an email to the Keycloak admin instead of directly blocking the
offending client.
The OOM was indeed our fault as we were not using the paging options, I just mentioned it
to provide additional context for the scenario that we experienced and to explain the
reason that we had some down-time based upon these excessive logins.
All that said, perhaps you’re right about the fact that this may be better handled in
logic external to Keycloak. In any case, I think its a worthwhile discussion and
appreciate your input!
Thanks,
Cory Snyder
On Sep 5, 2016, at 2:42 AM, Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
The brute force protection is there only to prevent guessing the password through a brute
force attack. It's not there to stop DOS attacks. We don't have any rate limiting
at the moment and I believe that's something that would be better introduced with a
firewall / intrusion detection system.
It's non-trivial to add, especially with the fact that a single client that invokes
the direct grant login could have thousands of legitimate users. I don't think a
simple implementation would be much value and not replace a full fledged firewall.
What did you have in mind with regards to requirements? Ability to configure max number of
requests per-client? Per-user?
For the OOM the events endpoints supports pagination as well as date ranges which should
prevent and OOM issue when querying it.
On 2 September 2016 at 15:44, Cory Snyder
<csnyder@iland.com<mailto:csnyder@iland.com>> wrote:
Hey guys,
We ran into an issue recently where a customer didn’t have a great understanding of the
OAuth2 authorization process and was submitting many direct grant login requests per
second. They were successfully authenticating each time, so the brute force protection
features don’t apply. It basically ended up being a DOS issue. We also ended up having OOM
issues when trying to query the events for this customer during a scheduled job that we
use to build reports on login events. We’re still running 1.8.2 at the moment, so I’m
wondering if you guys have implemented any kind of rate limiting / DOS prevention that
could have prevented this in one of the later releases? If not, I'm proposing that it
might be worth considering, I could try to contribute something if you like. What do you
guys think?
Thanks,
Cory Snyder
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:30 a.m.
Problem is that it would only cover one very specific issue, while still
being a relatively big thing to implement and test. There's clustering to
consider as all nodes would need to share the knowledge about number of
attempts. Also, the feature itself could end up being a DoS/OOM issue. If
there's 100 clients and 100k users that's potentially 10 million entries.
In summary trying to add this level of protection directly to Keycloak
would be very costly and most likely would never be on par with a decent
firewall.
On 6 September 2016 at 15:14, Cory Snyder <csnyder(a)iland.com> wrote:
Hey Stian,
I agree that we could make something work with a Firewall / intrusion
detection system if it’s decided that this is too complex to add directly
to Keycloak.
What I had in mind was a configurable sliding-time window rate limit that
would prevent a client from making too many requests for a particular user
in short time frames. E.g. limit each client to making at most 1 login
request within a sliding 5 sec interval for each user. The 5 sec timespan
could be made configurable or even be computed relative to the token
timeout settings.
Perhaps another alternative is to offer an admin alert to ensure
that
Keycloak admins are aware of clients that are incorrectly using/abusing the
authentication workflow. I guess it could work the same way as the blocking
rate limit, with the exception of the fact that it would just send an email
to the Keycloak admin instead of directly blocking the offending client.
The OOM was indeed our fault as we were not using the paging options, I
just mentioned it to provide additional context for the scenario that we
experienced and to explain the reason that we had some down-time based upon
these excessive logins.
All that said, perhaps you’re right about the fact that this may be better
handled in logic external to Keycloak. In any case, I think its a
worthwhile discussion and appreciate your input!
Thanks,
Cory Snyder
On Sep 5, 2016, at 2:42 AM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
The brute force protection is there only to prevent guessing the password
through a brute force attack. It's not there to stop DOS attacks. We don't
have any rate limiting at the moment and I believe that's something that
would be better introduced with a firewall / intrusion detection system.
It's non-trivial to add, especially with the fact that a single client
that invokes the direct grant login could have thousands of legitimate
users. I don't think a simple implementation would be much value and not
replace a full fledged firewall.
What did you have in mind with regards to requirements? Ability to
configure max number of requests per-client? Per-user?
For the OOM the events endpoints supports pagination as well as date
ranges which should prevent and OOM issue when querying it.
On 2 September 2016 at 15:44, Cory Snyder <csnyder(a)iland.com> wrote:
> Hey guys,
>
> We ran into an issue recently where a customer didn’t have a great
> understanding of the OAuth2 authorization process and was submitting many
> direct grant login requests per second. They were successfully
> authenticating each time, so the brute force protection features don’t
> apply. It basically ended up being a DOS issue. We also ended up having OOM
> issues when trying to query the events for this customer during a scheduled
> job that we use to build reports on login events. We’re still running 1.8.2
> at the moment, so I’m wondering if you guys have implemented any kind of
> rate limiting / DOS prevention that could have prevented this in one of the
> later releases? If not, I'm proposing that it might be worth considering, I
> could try to contribute something if you like. What do you guys think?
>
> Thanks,
>
> Cory Snyder
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
3034
days inactive
3039
days old
4 comments
3 participants
participants (3)
-
Bruno Oliveira da Silva -
Cory Snyder -
Stian Thorgersen