Query : Mechanism to drop or block too many unauthorized requests

[Rajpratik71]

Hi,

Is it possible to block or limit the no. of unauthorized for a username or clientId by a flag/config ?

[iegomez]

The answer is most certainly no, but block in what way?

[Rajpratik71]

Scenario is like Some one got access through leaked credentials and on the Broker side persistence is enabled due to that even after changing the password, old access still remains and a malicious client was able to bypass Auth request but was flooding acl requests because the broker has thousands of topics due to that thousands of requests are coming due to topics access requests.

And it looks like they have retry logic i.e. why it not stopping due to this HTTP auth backend is flooding with ACL requests and also crashing.

[iegomez]

I'm sorry, I'll need you to clarify because I don't really understand. For example you say on the Broker side persistence is enabled, but I don't know what you mean by that.

And again, what do you mean by block?

[Rajpratik71]

on the Broker side persistence is enabled here I am referring to persistence true flag of Mosqitto Broker.

So, observation is due to persistence true rouge client is bypassing or reutilizing old auth requests or sessions and flooding acl requests for all topics.

So, looking for some approach to block or drop those requests instead of sending them to the HTTP backend after a limit is crossed.

[iegomez]

I may be wrong, but as far as I know the persistence option is just to write data about connections, subscriptions, etc., to disk so you don't lose it on a restart of the broker.

If you're using the plugin to authorize certain user, each read or write on some topic will be checked, so it's really not related to persistence. If creds were leaked, you need to take care about it in the backend that's doing the auth.

And no, the plugin isn't involved in transport, it can't drop requests, it just handles authentication and authorization when they are passed along by Mosquitto.