View Issue Details

IDProjectCategoryView StatusLast Update
0003188SOGoBackend Generalpublic2016-03-18 11:09
ReporterJens Erat Assigned Toludovic  
PrioritynormalSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
Fixed in Version3.1.0 
Summary0003188: Limit/throttle access per user/second
Description

Background: multiple times now, we had the problem that client applications like Thunderbird/Enigmail/SOGo Connector "ran wild" and tried to access SOGo up to multiple hundred times per second (!), usually with wrong credentials. This results in heavily degraded performance for the rest of the users.

We'd like to have an access limit per user and second, after which SOGo will cut off further access.

This will not help against distributed attacks, but very well against application errors. Counting on a {user, ip-address} base might be reasonable to prevent DOS-attacks against a single user (sending a handful of requests with a given user name would cut that user completely off). Counting on IP-address might cut of large user bases behind a common NAT and is not acceptable.

TagsNo tags attached.

Activities

ludovic

ludovic

2016-03-15 11:42

administrator   ~0009748

How about:

1- limiting this to DAV?

2- a 429 error code? https://tools.ietf.org/html/rfc6585#section-4

Jens Erat

Jens Erat

2016-03-16 04:52

reporter   ~0009755

Error code 429 seems proposed for exactly this purpose. Standardized in 2012 is probably rather new, but implementations not knowing the error code should probably still realize something's wrong.

We'd prefer to see this not only for DAV, but also for the web UI to

  • make DOS atttacks harder (this would enable a load balancer/reverse proxy to cut of an attacker by a system more capable of doing so than the SOGo backend
  • potentially cut of spammers scripting the web UI (we're having a bunch of them lately!), or at least making their life harder (and hope they're going for some other target) and giving us a litte more time to realize the spammer and lock up accounts.
ludovic

ludovic

2016-03-18 11:09

administrator   ~0009792

also fixed for 2.3.10.

https://github.com/inverse-inc/sogo/commit/9d6ab2df3364e8863c94b6a4c4cd2f239399a7f8

Issue History

Date Modified Username Field Change
2015-04-29 05:19 Jens Erat New Issue
2016-03-15 11:42 ludovic Note Added: 0009748
2016-03-16 04:52 Jens Erat Note Added: 0009755
2016-03-18 11:09 ludovic Note Added: 0009792
2016-03-18 11:09 ludovic Status new => resolved
2016-03-18 11:09 ludovic Fixed in Version => 3.1.0
2016-03-18 11:09 ludovic Resolution open => fixed
2016-03-18 11:09 ludovic Assigned To => ludovic