View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
09882Bug reportsSecuritypublic2015-09-14 16:232015-10-02 08:57
Reportergantier Assigned Tosammousa  
PriorityhighSeveritypartial_block 
Status closedResolutionnot fixable 
Product Version2.06+ 
Summary09882: Brute force attack prevention based on IP adress (enable easy DoS attacks)
Description

Brute force attack prevention seems to work (only?) with IP adress, which is a problem for quite big organizations (business office, associations, universities, colleges...).
So, one (stupid) guy is able to block the application for all other users with a simple script launched every 11 minutes -> Denial of service :/

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)Version 2.06+ Build 150911
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL 5.5.44
Server OS (if known)Ubuntu LTS Server 14.04
Webserver software & version (if known)Apache 2.4
PHP Version5.5.9

Users monitoring this issue

There are no users monitoring this issue.

Activities

sammousa

sammousa

2015-09-15 09:34

reporter   ~33097

If he launches a script every 11 minutes he will not bring LS down..
If he has access to a botnet and does a DDOS no application will be able to protect itself from that. If you are that big of an organization you should have professional firewalls / IT support to handle that.

There is no feasible way to prevent DDOS attacks at the application end.
gantier

gantier

2015-09-15 13:01

reporter   ~33098

Last edited: 2015-09-15 13:01

"If he launches a script every 11 minutes he will not bring LS down.." --> Of course :)
However the DOS can be either functional or technical, the result is the same : the application is unusable.

It could be at least a good idea to be able to disable this security measure (or specify IP adress/mask to enable/disable it).
jelo

jelo

2015-09-17 17:51

partner   ~33118

Can we differentiate between bruteforce attacks and DDoS.

A login protection for false logins and a way to disable sending new generated passwords would be a good thing. To create a new user without sending the password in plain email would be good too.
sammousa

sammousa

2015-10-02 08:56

reporter   ~33285

Not looking at IP will make for easier DOS attacks.
Say you try to brute force my username from several IPs, so I lock out the user..
Now you have effectively done a DOS attack since I am no longer able to login.

Closing this, for LS3 feel free to implement your own AuthenticationPlugin that adds whatever "protection" you feel is needed.

Issue History

Date Modified Username Field Change
2015-09-14 16:23 gantier New Issue
2015-09-15 09:34 sammousa Note Added: 33097
2015-09-15 09:34 sammousa Assigned To => sammousa
2015-09-15 09:34 sammousa Status new => feedback
2015-09-15 13:01 gantier Note Added: 33098
2015-09-15 13:01 gantier Status feedback => assigned
2015-09-15 13:01 gantier Note Edited: 33098
2015-09-17 17:51 jelo Note Added: 33118
2015-10-02 08:56 sammousa Note Added: 33285
2015-10-02 08:57 sammousa Status assigned => closed
2015-10-02 08:57 sammousa Resolution open => not fixable