security against DoS attacks

aabdelrazek / addypin

addypin frontend/backend/DB in WT

0 stars 0 forks source link

security against DoS attacks #3

Open aabdelrazek opened 9 years ago

aabdelrazek commented 9 years ago

This is a big task, I'm just listing here what is on top of my head: 1 - include Captcha when adding new addresses, what about when looking up addresses? 2 - we may need to verify emails, but how??? 3 - we may need to protect DB from growing with garbage or unwanted entries! A - Remove entries that has never been looked up for certain # of days (say 90 days) B - Prevent duplicates (same email and same address!!) C - ??????

ghost commented 9 years ago

initially, we need every single address for the counter, later we can automate periodic cleanup
DoS PIN queries coming from same source, web queries should be limited to 10 PINs per IP, random queries as well, DoS could be random queries on existing PINs same as Truecaller limits lookup for numbers.
email verification is not required to register a PIN, like we won't allow users to know that we are verifying, there's a high probability that they are customers on the fly, but at any given time once he open a link through his email for his new PIN, we will mark this email as verified email

aabdelrazek commented 9 years ago

Here is my concern about what you have just said about email: imagine someone added the following addresses: addr1, abc@xyz.com addr2, abc@xyzz.com addr3, abc@xyyz.com addr4, abc@xxyz.com and so on,

how will you protect the DB from growing like crazy?

then you are saying verification is done when user opens he link in his email, how do you know that the link is opened from his email?

ghost commented 9 years ago

same source, speed between entering new PINs with 80% similarity in email alias only "everything before the domain name "

aabdelrazek commented 9 years ago

what source ya ebny? and what is this speed? couple guys can break this in few minutes, one creates fake address entries and the other is doing lookup.

also what do we do about created entries that hasn't been used? for how long we should hold it in DB?

ghost commented 9 years ago

source IP, you can detect fake entries we if they are 80% matching, and they are randomly using the same exact location.. same source IP, 80% similarity in location, and same coordinates. is it possible that more than 10 people are creating the same PIN at the same exact place with similar email alias?!

ghost commented 9 years ago

captcha, and recaptcha will solve it, plus we will mark customer as verified whenever he first manages his pins through the link opened through his email