AUTH_RATE_003
security
auth_error
ai_generated
partial
Credential stuffing attack succeeds because rate limiting is bypassed by rotating IP addresses
ID: security/credential-stuffing-via-rate-limit-bypass
75%Fix Rate
85%Confidence
1Evidence
2023-06-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Nginx 1.24 | active | — | — | — |
| Cloudflare WAF | active | — | — | — |
| AWS WAF | active | — | — | — |
Root Cause
Rate limiting based solely on IP address is ineffective against credential stuffing attacks that use a distributed botnet with many unique IPs, allowing unlimited login attempts.
generic中文
仅基于 IP 地址的速率限制对于使用具有许多唯一 IP 的分布式僵尸网络的凭证填充攻击无效,允许无限制的登录尝试。
Official Documentation
https://owasp.org/www-community/controls/Blocking_Brute_Force_AttacksWorkarounds
-
80% success Implement multi-factor rate limiting: combine IP, user-agent, and device fingerprint. Use a sliding window with exponential backoff. Example in Nginx: limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m; limit_req_zone $http_user_agent zone=ua:10m rate=10r/m; server { location /login { limit_req zone=login burst=10 nodelay; limit_req zone=ua burst=20 nodelay; } }
Implement multi-factor rate limiting: combine IP, user-agent, and device fingerprint. Use a sliding window with exponential backoff. Example in Nginx: limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m; limit_req_zone $http_user_agent zone=ua:10m rate=10r/m; server { location /login { limit_req zone=login burst=10 nodelay; limit_req zone=ua burst=20 nodelay; } } -
90% success Deploy CAPTCHA (e.g., reCAPTCHA v3) after a few failed attempts from the same account or device fingerprint, not just IP.
Deploy CAPTCHA (e.g., reCAPTCHA v3) after a few failed attempts from the same account or device fingerprint, not just IP.
-
85% success Use account lockout (temporary, e.g., 1 minute) after 5 failed attempts per username, regardless of IP.
Use account lockout (temporary, e.g., 1 minute) after 5 failed attempts per username, regardless of IP.
中文步骤
Implement multi-factor rate limiting: combine IP, user-agent, and device fingerprint. Use a sliding window with exponential backoff. Example in Nginx: limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m; limit_req_zone $http_user_agent zone=ua:10m rate=10r/m; server { location /login { limit_req zone=login burst=10 nodelay; limit_req zone=ua burst=20 nodelay; } }Deploy CAPTCHA (e.g., reCAPTCHA v3) after a few failed attempts from the same account or device fingerprint, not just IP.
Use account lockout (temporary, e.g., 1 minute) after 5 failed attempts per username, regardless of IP.
Dead Ends
Common approaches that don't work:
-
Increase the rate limit threshold to allow more requests per IP
95% fail
This makes the attack easier because attackers can send more requests per IP, and the distributed nature still bypasses IP-based limits.
-
Block IPs after a few failed attempts with a permanent ban
80% fail
Attackers rotate IPs; permanent bans on individual IPs don't stop the attack and may block legitimate users behind shared IPs (e.g., VPNs).