Database Overflow Attack

Networking/Security Forums -> Databases

Author: GordonFreeman PostPosted: Tue Oct 20, 2009 9:07 pm    Post subject: Database Overflow Attack
i have to implement user account registration/login in my site, and i'm scared to a potential security problem: a malicious automatic tool could register users continuosly, by accessing my registration page, filling the form and submitting it, and clicking on the activation link inside the email, ... therefore acting like a real user.

This action will fill up my database in short time, and storing account info on files instead of db won't help, because even if disk space is much bigger than db, it's still limited , it'll be filled up sooner or later.

How to contrast this possible threat? I think sites like Facebook, Twitter, Myspace ecc. have adopted some kind of countermeasure

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Tue Oct 20, 2009 11:48 pm    Post subject:
There are multiple means of addressing this issue. I have used various combinations of the following:

1. Disallow multiple registration requests from a single IP if they happen within some certain arbitrary time frame, say 5 registrations within 30 minutes, or within a day. Of course, the way to defeat this is to bounce registration through proxy servers.

1.a. If you are limiting registrations by IP, then you need to check your server logs to make sure that they are not just coming back every x minutes and starting the cycle over.

2. Once an account is registered, set a cookie on that system that tracks the date that an account was registered on that computer. If there are too many cookies set within some time frame, the disallow registration. The way to defeat this is for the 'attacker' to simply disallow cookies, so in step 3....

3. When a system logs on to your site, try to set a cookie. If the cookie is disallowed, then disallow registration. This sometimes annoys users who prefer to remain as anonymous as possible while online.

4. Use a captcha system. As of now, there are quite a few captchas that are able to be defeated programatically. In other cases, some people will simply employ other people to register multiple accounts.

5. Use email validation so that the user has to click on a link in an email in order to validate the account; if the account is not validated within some time frame, then delete the account. Screen the applications so that nobody is using the same email accounts. Of course, they can still register multiple email accounts with free email providers, but at least it adds an extra step.

Finally, you need to consider that the room taken up by a registration in a database is likely pretty small. Databases are good at storing data in a compact manner. Most places only require a user name, email, and a password for initial registration. Just a rough guess, but I would bet that it would take tens of millions of registrations before you would even notice anything.

Author: GordonFreeman PostPosted: Wed Oct 21, 2009 12:50 am    Post subject:
thank you for the interest.

about captchas, i've heard they are now considered obsolete, but is this for a usability issue (they annoy the users) or it's because they already exist spam softwares which use OCR techniques, so are able to read text into images?

i've added a contact form on my site, from which you can send me an email, and it is protected by a php-generated captcha... but after a month i've realized that i'm receiving more spam than before... it surely comes from the contact form, someone may have used a strange spambot which defeats the captcha.

i'd like to be up to date about this, how to build a captcha which is not vulnarable against current spam software ?
what captcha library have you used?

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Wed Oct 21, 2009 1:57 am    Post subject:
Captcha is not obsolete, just evolving. I do not recall the last library that
I used; SimpleCaptcha, or something like that. It was for java, so not applicable to your needs.

The thing with using someone else's library is that once someone is able to decode it, any site that uses that library is then vulnerable. Try a different library and see if that helps.

You should also be checking your logs to see if there are obvious IPs that are hitting your site significantly more than others. If they are, block them.

There is no one total solutions; as I said before, I generally used combinations of schemes, but it is still only a stop-gap. My suggestion to you is to require validating the account via email before they can post anything.

Good luck. Smile

Networking/Security Forums -> Databases

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group