So I've implemented an IP Blocklist for the /login
endpoint on my server.
If any IP fails to login more than x
number of attempts in x
number of minutes the requesting IP is blocklisted for x
number of minutes.
That goes a long way in mitigating any brute-force attacks attempting to determine a users password by adding large delays to the mix when too many failed /login
requests are received by any given IP.
But there's a scenario where this could be problematic, and actually be an instrument for an attacker to launch a DOS attack agains my legitimate user, like so:
- BadHacker wants to DOS LegitUser's website
- LegitUser has a server with the IP
11.22.33.44
- LegitUser's server needs to communicate with my system in order to remain online.
- BadHacker finds out what LegitUser's server IP is
- BadHacker uses a proxy server as an IP-Spoofing machine to send a large number of purposely unsuccessful
/login
attempts to my system, knowing that these failed attempts will get the requesting IP (which has been spoofed to be11.22.33.44
) blocklisted. - BadHacker doesn't care if they receive a response from my system for the purposely unsuccessful
/login
requests because the point of this attack is not to brute-force any credentials, it's to trick my system into believing that the IP11.22.33.44
has exceeded its allotted login failures for any given timeframe. - The result is that the IP
11.22.33.44
is blocklisted by my system. But, this IP does not belong to BadHacker, it belongs to LegitUser, who has played no role in this attack at all. - The result of the blocklisting of the IP
11.22.33.44
is that the website served from that host is now offline, because it depends on my system to remain online.
How could I go about protecting against this?