# 由于通过轮换 IP 地址绕过了速率限制，凭证填充攻击成功

- **ID:** `security/credential-stuffing-via-rate-limit-bypass`
- **领域:** security
- **类别:** auth_error
- **错误码:** `AUTH_RATE_003`
- **验证级别:** ai_generated
- **修复率:** 75%

## 根因

仅基于 IP 地址的速率限制对于使用具有许多唯一 IP 的分布式僵尸网络的凭证填充攻击无效，允许无限制的登录尝试。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Nginx 1.24 | active | — | — |
| Cloudflare WAF | active | — | — |
| AWS WAF | active | — | — |

## 解决方案

1. ```
   Implement multi-factor rate limiting: combine IP, user-agent, and device fingerprint. Use a sliding window with exponential backoff. Example in Nginx:
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $http_user_agent zone=ua:10m rate=10r/m;
server {
    location /login {
        limit_req zone=login burst=10 nodelay;
        limit_req zone=ua burst=20 nodelay;
    }
}
   ```
2. ```
   Deploy CAPTCHA (e.g., reCAPTCHA v3) after a few failed attempts from the same account or device fingerprint, not just IP.
   ```
3. ```
   Use account lockout (temporary, e.g., 1 minute) after 5 failed attempts per username, regardless of IP.
   ```

## 无效尝试

- **Increase the rate limit threshold to allow more requests per IP** — This makes the attack easier because attackers can send more requests per IP, and the distributed nature still bypasses IP-based limits. (95% 失败率)
- **Block IPs after a few failed attempts with a permanent ban** — Attackers rotate IPs; permanent bans on individual IPs don't stop the attack and may block legitimate users behind shared IPs (e.g., VPNs). (80% 失败率)