Logins are rate limited to prevent abuse. If Octopus is configured with rate limiting on login, and a certain amount of Octopus users are trying to log in, it will block further attempts if the number of users exceeds the rate limit. As soon as one of these blocked users tries to log in again, they are unblocked.
At first glance, the above might not seem like a problem. However, it can be used to bypass rate limiting on login. If a large number of blocked users try to login in parallel, and if each of these users only tries to login one time, and not again, then blocking the login attempt of the first user does not count towards the rate limiting on login. As soon as the first blocked user is unblocked, the rate limiting on login of the application is again triggered. The blocking of the second user does not count, and so on. This can be used to bypass rate limiting on login and create a denial of service. To prevent this, Octopus should be configured to log all login attempts, without rate limiting on login.
Octopus and Rate Limiting on Login https://www.webopedia.com/TERM/O/Octopus-login.html
The Octopus application was designed to provide a centralized login process for multiple websites and applications that require authentication. It does this by storing an encrypted copy of the user's password on its own server, so that the user doesn't have to enter their password whenever they need to authenticate with one of those websites or applications.
When the user enters their username and password in order to access an application using the Octopus, it is then transmitted securely to their chosen website or application, which will store a decrypted copy in its database for use when needed. This way, even if one site gets hacked and a hacker gets a hold of their password, it doesn't matter because all sites are still secured by that single, original password stored locally on the Octopus server.
How to detect if a login attempt has been rate limited
Octopus provides information about the rate limit on login via the event logs.
To check what the rate limit is set to, you need to enable debug logging in your application and look at the log file:
Logs
How to limit the number of users that can login to your application at one time
To prevent the above scenario, Octopus can be configured to log all login attempts, without rate limiting on login. To do this, Octopus logs a user in when it receives a valid HTTP request that includes the username and password. Once logged in, if the user tries to use another username or password to try and log in again, an error is returned with the error code LOGIN_DENIED. When this happens, it means that there are already ten users logged in and that no further users can log in until at least one of these users logs out.
There are many other ways to configure your application’s authentication methods and rate limits. You should consult your security consultant for more information on how best to configure any rate limiting or authentication methods within your application.
Timeline
Published on: 09/30/2022 04:15:00 UTC
Last modified on: 10/04/2022 18:20:00 UTC