4

I had a scenario, where someone created thousands of user accounts in a shop system, which flooded the DB. Different usernames/emails were used and each creation came from a different IP address.

How can someone prevent / avoid such an "attack"?

Is there anything else besides CAPTCHAS that a programmer can do?

schroeder
  • 123,438
  • 55
  • 284
  • 319
xhallix
  • 141
  • 3
  • I'm just curious, why are you against the use of a captcha? – Rstew Jul 24 '17 at 15:23
  • Only collect most account details once you've verified the email address? It won't stop a really determined attacker, but adds an extra barrier to most attackers. – Matthew Jul 24 '17 at 15:25
  • @Ryan Entering distorted letters and identifying street signs has a fairly notable impact on usability. – Arminius Jul 24 '17 at 15:59

1 Answers1

1

There are a number of things that a 'developer' could do to avoid bulk account creation in this manner - but it will depend on the appetite / budget for a client.

For example, a number of commercial WAFs are likely to spot the patterns in the end and start blocking these - even when they are coming from differing IPs. The WAF, if it uses cloud based learning / definitions, may have already seen issues from those IPs for other sites that it is being used to protect.

If you're just looking for a purely 'programmed' solution - then many have attempted to develop their own versions of CAPTCHA (sometimes you see things as simple as answer the question of 5+3 = X in a form field), but the reality is that it is going to take a lot of time / effort / expense to develop anything robust enough.

Why does the client in this case not want to use CAPTCHA?

Shaun
  • 11
  • 1
  • I guess because having account creation as easy as possible. if there is no programmatic solution, we need to use captchas anyway – xhallix Jul 24 '17 at 15:44