xerxes
April 26, 2020, 9:02am
1
Testing self-hosted Bitburden 2.13.2.
I made some test using curl commands against POST /identity/connect/token endpoint and I don’t see any rate limiting on the number of attempts.
Do you confirm ?
Why not adding a delay (exponential backoff) on the login endpoint ?
Ablac
(Keith Swoger)
April 26, 2020, 8:34pm
2
I might be mistaken but isnt that what the KDF Iterations are for is to prevent brute force attacks?
xerxes
April 27, 2020, 8:26am
3
Yes (good point, I didn’t think about it), it is a first level but not enough IMO : manually, I can perform 10 requests / sec… I think about something that could lock app during several secs or even minutes…
tgreer
(Trey Greer)
April 27, 2020, 10:57am
4
The endpoints do block requests after a certain point, you’ll get HTTP 429, for cloud users.
Be nice to our API
xerxes
April 27, 2020, 12:55pm
5
That’s fine but what about self-hosted users ?
tgreer
(Trey Greer)
April 27, 2020, 8:34pm
6
It could be done via firewall, etc - depending on hosting configuration.