AUTH_RATE_003 security auth_error ai_generated partial

由于通过轮换 IP 地址绕过了速率限制,凭证填充攻击成功

Credential stuffing attack succeeds because rate limiting is bypassed by rotating IP addresses

ID: security/credential-stuffing-via-rate-limit-bypass

其他格式: JSON · Markdown 中文 · English
75%修复率
85%置信度
1证据数
2023-06-20首次发现

版本兼容性

版本状态引入弃用备注
Nginx 1.24 active
Cloudflare WAF active
AWS WAF active

根因分析

仅基于 IP 地址的速率限制对于使用具有许多唯一 IP 的分布式僵尸网络的凭证填充攻击无效,允许无限制的登录尝试。

English

Rate limiting based solely on IP address is ineffective against credential stuffing attacks that use a distributed botnet with many unique IPs, allowing unlimited login attempts.

generic

官方文档

https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks

解决方案

  1. Implement multi-factor rate limiting: combine IP, user-agent, and device fingerprint. Use a sliding window with exponential backoff. Example in Nginx:
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $http_user_agent zone=ua:10m rate=10r/m;
server {
    location /login {
        limit_req zone=login burst=10 nodelay;
        limit_req zone=ua burst=20 nodelay;
    }
}
  2. Deploy CAPTCHA (e.g., reCAPTCHA v3) after a few failed attempts from the same account or device fingerprint, not just IP.
  3. Use account lockout (temporary, e.g., 1 minute) after 5 failed attempts per username, regardless of IP.

无效尝试

常见但无效的做法:

  1. Increase the rate limit threshold to allow more requests per IP 95% 失败

    This makes the attack easier because attackers can send more requests per IP, and the distributed nature still bypasses IP-based limits.

  2. Block IPs after a few failed attempts with a permanent ban 80% 失败

    Attackers rotate IPs; permanent bans on individual IPs don't stop the attack and may block legitimate users behind shared IPs (e.g., VPNs).