• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Denial of Service / Bot preventation for this type of function

 
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We have a web application where when the user gets locked (from consecutive invalid passwords), the unlock account flow would be like this...


1. Click unlock account link
2. Next page will ask for username and email
3. If combination in #2 is valid, it will proceed to page where app ask user to trigger sending a token through SMS
4. In the next page users enters token and successfully unlocks


Is this setup susceptible to DoS attacks like bots? do we still have to use CAPTCHAs here?
 
author & internet detective
Posts: 42003
911
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, you don't need a captcha because the user has authenticated. You can still have a DoS in that a bad guy locks out all of your user accounts though. And for that matter hammers you with traffic as the bad guy submits millions of requests to your site to try to do the lockouts. Which means you should load test. And if you are a website on which a DoS is likely, you should add another mechanism to avoid the lockouts. For example on this site, we use increasing delays between attempts after the first few to prevent the denial of service from happening in the first place.

I would use an email rather than a SMS message though. If someone gets ahold of your username/email combinations, they can SMS spam your users. Which is more intrusive than email spam.
 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Thanks Jeanne, just one thing...

No, you don't need a captcha because the user has authenticated



User hasn't been authenticated. If ever a user becomes locked. An unlock account link would be seen in the login page. User is not yet logged in.
 
Jeanne Boyarsky
author & internet detective
Posts: 42003
911
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Andres Delrotti wrote:User hasn't been authenticated. If ever a user becomes locked. An unlock account link would be seen in the login page. User is not yet logged in.


Right. I meant you know the user is who they say they are. Because the user has access to email/SMS.
 
Every time you till, you lose 30% of your organic matter. But this tiny ad is durable:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic