Limit logins on satellite

I have just noticed that when logging into Storj DCS there is no rate limit.
This is great for brute force attacks.

One suggestion would be to limit the number of logins in a row or force an ever increasing waiting period between login attempts after n unsuccessful tries.

5 Likes

Thanks for the suggestion. I’ve let the team know about your findings.

3 Likes

We do (should) have rate limiting in place. Can you give details of exactly what you tried that indicated there was no rate limit?

This?

I made a couple of test logins with wrong credentials. As a result it seems that the account got locked. This process does not seem to be well thought:

  1. There is no description for the valid account holder how to unlock the account. Waiting is not a good approach for the true account holder.
  2. It seems that I would be able to lock any account if I know the email address of the account holder. Simply by doing some false login attempts.
  1. I was able to do many login attempts in a row
  2. I did not receive a warning, thinking of it, it might be this: 2 different errors on US2
    Maybe the error Unexpected toke T in JSON at position 0 should have been the warning or the lockout message? I don’t know.

My suggestions would be:

  1. Impose an increasing waiting time between wrong logins
  2. Have a process in place for the valid account holder to unlock his account
  3. Display the description to unlock / remaining waiting time
  4. Don’t allow an adversary to impose a lock onto an account just because he knows the email address of a user

There is an additional idea that I know from Lastpass and which is very useful. As a Lastpass user I can restrict login to specific IPs/Regions. And - very useful - I can disallow Logins that come from the Tor network. Maybe such an implementation would be interesting to secure Storj accounts further.

1 Like

Nope, that wasn’t what I meant. I didn’t even know that was a thing. I agree with you that is a misfeature. I’ll try to figure out who to talk to about that.

Yep, that was the rate limit warning. If you had inspected the returned HTTP message, you would have seen the error message “Too many requests”. That’s where the ‘unexpected token T’ comes from :smiley:

So, yes, that’s a very unhelpful way for us to present the error, and we should handle the error on the login page. But at least the rate limiting does exist.

Your suggestions are good ones. I’ll pass them on.

5 Likes