• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Database Overflow Attack

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases

View previous topic :: View next topic  
Author Message
GordonFreeman
Just Arrived
Just Arrived


Joined: 20 Oct 2009
Posts: 0


Offline

PostPosted: Tue Oct 20, 2009 9:07 pm    Post subject: Database Overflow Attack Reply with quote

Hi,
i have to implement user account registration/login in my site, and i'm scared to a potential security problem: a malicious automatic tool could register users continuosly, by accessing my registration page, filling the form and submitting it, and clicking on the activation link inside the email, ... therefore acting like a real user.

This action will fill up my database in short time, and storing account info on files instead of db won't help, because even if disk space is much bigger than db, it's still limited , it'll be filled up sooner or later.

How to contrast this possible threat? I think sites like Facebook, Twitter, Myspace ecc. have adopted some kind of countermeasure
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Tue Oct 20, 2009 11:48 pm    Post subject: Reply with quote

There are multiple means of addressing this issue. I have used various combinations of the following:

1. Disallow multiple registration requests from a single IP if they happen within some certain arbitrary time frame, say 5 registrations within 30 minutes, or within a day. Of course, the way to defeat this is to bounce registration through proxy servers.

1.a. If you are limiting registrations by IP, then you need to check your server logs to make sure that they are not just coming back every x minutes and starting the cycle over.

2. Once an account is registered, set a cookie on that system that tracks the date that an account was registered on that computer. If there are too many cookies set within some time frame, the disallow registration. The way to defeat this is for the 'attacker' to simply disallow cookies, so in step 3....

3. When a system logs on to your site, try to set a cookie. If the cookie is disallowed, then disallow registration. This sometimes annoys users who prefer to remain as anonymous as possible while online.

4. Use a captcha system. As of now, there are quite a few captchas that are able to be defeated programatically. In other cases, some people will simply employ other people to register multiple accounts.

5. Use email validation so that the user has to click on a link in an email in order to validate the account; if the account is not validated within some time frame, then delete the account. Screen the applications so that nobody is using the same email accounts. Of course, they can still register multiple email accounts with free email providers, but at least it adds an extra step.

Finally, you need to consider that the room taken up by a registration in a database is likely pretty small. Databases are good at storing data in a compact manner. Most places only require a user name, email, and a password for initial registration. Just a rough guess, but I would bet that it would take tens of millions of registrations before you would even notice anything.
Back to top
View user's profile Send private message Visit poster's website
GordonFreeman
Just Arrived
Just Arrived


Joined: 20 Oct 2009
Posts: 0


Offline

PostPosted: Wed Oct 21, 2009 12:50 am    Post subject: Reply with quote

thank you for the interest.

about captchas, i've heard they are now considered obsolete, but is this for a usability issue (they annoy the users) or it's because they already exist spam softwares which use OCR techniques, so are able to read text into images?

i've added a contact form on my site, from which you can send me an email, and it is protected by a php-generated captcha... but after a month i've realized that i'm receiving more spam than before... it surely comes from the contact form, someone may have used a strange spambot which defeats the captcha.

i'd like to be up to date about this, how to build a captcha which is not vulnarable against current spam software ?
what captcha library have you used?
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Wed Oct 21, 2009 1:57 am    Post subject: Reply with quote

Captcha is not obsolete, just evolving. I do not recall the last library that
I used; SimpleCaptcha, or something like that. It was for java, so not applicable to your needs.

The thing with using someone else's library is that once someone is able to decode it, any site that uses that library is then vulnerable. Try a different library and see if that helps.

You should also be checking your logs to see if there are obvious IPs that are hitting your site significantly more than others. If they are, block them.

There is no one total solutions; as I said before, I generally used combinations of schemes, but it is still only a stop-gap. My suggestion to you is to require validating the account via email before they can post anything.

Good luck. Smile
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register