For the second time my website seems to be the target of a large automated attack. It seems complex enough and very well executed. I have the following systems in place:
- Captcha on 3rd failed login from IP
- Account lock for 30 min after 5 failed login attempts (using same email)
- Minimum password requirements (8 chrs, letter, number, capitals)
- Failed login attempts return a non-specific error (i.e. your email or password is incorrect)
- Rate limited requests (from same IP)
Over the last half an hour or so, my website has been 20,000 failed login requests. Each request is using a different email (from spot checking) and each one has failed with a 401 and no information. Each request is coming from a different public IP address (all seem to be coming out of Phoenix, Arizona from my manual spot check)
All of the requests are coming via an mobile app I built which loads the login webpage via a webview. Below is a sample of the full details from one request.
I can't think of a way to mitigate this attack. It seems like someone is fishing for email/ password matches. 99% of the emails are not in my system anyway, so it seems to just be a bot with a list of emails and passwords trying to gain access.
My questions are. Should I be worried about this? My biggest concern is the DDOS element with regards to system load. Why would someone even bother doing this? Are there any additional things I could be doing to mitigate the risk?
Sample payload:
{
"path": "/auth/login/email",
"method": "POST",
"query": "POST /auth/login/email",
"startts": 1598474644337,
"endts": 1598474644342,
"responsetime": 5,
"node": {
"name": "ip-XXX-XX-XX-XX",
"version": "",
"hostname": "ip-XXX-XX-XX-XX",
"ip": "172.31.15.58"
},
"http": {
"request": {
"url": "/email",
"headers": {
"host": "api.domain.com",
"x-forwarded-for": "XXX.XXX.XXX.XXX",
"x-forwarded-proto": "https",
"x-forwarded-port": "443",
"x-amzn-trace-id": "Root=1-5f46c994-168fa61913c6b3a2153fe9dd",
"accept-encoding": "gzip,deflate",
"content-type": "application/x-www-form-urlencoded",
"accept": "application/json, text/plain, */*",
"appsecret": "12312312312313123123",
"origin": "file://",
"user-agent": "Mozilla/5.0 (Linux; Android 5.1.1; SM-G973N Build/LYZ28N; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/XX.X.XXXX.XXX Mobile Safari/537.36",
"accept-language": "en-US,en;q=0.9",
"x-requested-with": "myapp.bundle.app",
"x-forwarded-host": "api.domain.com",
"x-forwarded-server": "ip-XXX-XX-XX-XX.us-east-1.compute.internal",
"connection": "Keep-Alive",
"content-length": "45"
},
"clength": 45,
"route_path": "/auth/login/email",
"params": {},
"query": {},
"body": {
"email": "{\"email\":\"user@domain.co.uk\",\"password\":\"realplaintextpassword\"}",
"password": "{\"email\":\"user@domain.co.uk\",\"password\":\"realplaintextpassword\"}"
}
},
"response": {
"code": 401,
"class": "client_error",
"phrase": "Unauthorized",
"headers": {
"x-dns-prefetch-control": "off",
"x-frame-options": "SAMEORIGIN",
"strict-transport-security": "max-age=15552000; includeSubDomains",
"x-download-options": "noopen",
"x-content-type-options": "nosniff",
"x-xss-protection": "1; mode=block",
"vary": "X-HTTP-Method-Override, Origin",
"access-control-allow-origin": "file://",
"uuid": "1231y239hndn9u13u123",
"server": "Apache",
"x-ratelimit-limit": 10,
"x-ratelimit-remaining": 9
},
"clength": 5
}
},
"ip": "::ffff:127.0.0.1",
"real_ip": "107.178.110.130",
"port": 8081,
"@timestamp": "2020-08-26T20:44:04.337Z",
"api": {
"path": "/auth/login/email",
"query": "POST /auth/login/email"
}
}