0003188: Limit/throttle access per user/second - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0003188	SOGo	Backend General	public	2015-04-29 09:19	2016-03-18 15:09

Reporter	Jens Erat	Assigned To	ludovic
Priority	normal	Severity	feature	Reproducibility	N/A
Status	resolved	Resolution	fixed
Fixed in Version	3.1.0

Summary	0003188: Limit/throttle access per user/second
Description	Background: multiple times now, we had the problem that client applications like Thunderbird/Enigmail/SOGo Connector "ran wild" and tried to access SOGo up to multiple hundred times per second (!), usually with wrong credentials. This results in heavily degraded performance for the rest of the users. We'd like to have an access limit per user and second, after which SOGo will cut off further access. This will not help against distributed attacks, but very well against application errors. Counting on a {user, ip-address} base might be reasonable to prevent DOS-attacks against a single user (sending a handful of requests with a given user name would cut that user completely off). Counting on IP-address might cut of large user bases behind a common NAT and is not acceptable.
Tags	No tags attached.

ludovic 2016-03-15 15:42 administrator ~0009748	How about: 1- limiting this to DAV? 2- a 429 error code? https://tools.ietf.org/html/rfc6585#section-4

Jens Erat 2016-03-16 08:52 reporter ~0009755	Error code 429 seems proposed for exactly this purpose. Standardized in 2012 is probably rather new, but implementations not knowing the error code should probably still realize something's wrong. We'd prefer to see this not only for DAV, but also for the web UI to make DOS atttacks harder (this would enable a load balancer/reverse proxy to cut of an attacker by a system more capable of doing so than the SOGo backend potentially cut of spammers scripting the web UI (we're having a bunch of them lately!), or at least making their life harder (and hope they're going for some other target) and giving us a litte more time to realize the spammer and lock up accounts.

ludovic 2016-03-18 15:09 administrator ~0009792	also fixed for 2.3.10. https://github.com/inverse-inc/sogo/commit/9d6ab2df3364e8863c94b6a4c4cd2f239399a7f8

Date Modified	Username	Field	Change
2015-04-29 09:19	Jens Erat	New Issue
2016-03-15 15:42	ludovic	Note Added: 0009748
2016-03-16 08:52	Jens Erat	Note Added: 0009755
2016-03-18 15:09	ludovic	Note Added: 0009792
2016-03-18 15:09	ludovic	Status	new => resolved
2016-03-18 15:09	ludovic	Fixed in Version	=> 3.1.0
2016-03-18 15:09	ludovic	Resolution	open => fixed
2016-03-18 15:09	ludovic	Assigned To	=> ludovic