bruteforcesettings icon indicating copy to clipboard operation
bruteforcesettings copied to clipboard
verified publisher icon nextcloud

Handle expired links better to avoid false positives

Open joshtrichards opened this issue 1 year ago • 9 comments

Currently you only need a handful of users who click on an expired link and their IP range gets on the naughty list and blocked real fast

Originally posted by @DanScharon in https://github.com/nextcloud/bruteforcesettings/issues/4#issuecomment-1596995344

joshtrichards avatar Feb 19 '24 14:02 joshtrichards

Related: nextcloud/server#42614

joshtrichards avatar May 08 '24 13:05 joshtrichards

@Fenn-CS or @sorbaugh is there any update here? the bug is reproducible as communicated by Anupam. Ticket is missing the SLA soon (1 working day left)

DaphneMuller avatar Aug 21 '24 10:08 DaphneMuller

Being looked into currently. @DaphneMuller

nfebe avatar Aug 21 '24 10:08 nfebe

@Fenn-CS please let me know a confirmation of in which release the fix will be available. We can then inform the customer. Thanks!

DaphneMuller avatar Aug 21 '24 12:08 DaphneMuller

I’ve been able to somewhat reproduce this issue, where I encounter a 429 "Too Many Requests" response.

Screenshot from 2024-08-22 14-59-42

However, I’m not entirely sure if this scenario mirrors the situation where tens or hundreds of users might be blocked, particularly when it’s a case of multiple users attempting to access the same URL repeatedly from within the same network.

In my reproduction case, the 429 error occurs when a single user (apparently as sometimes the IPs can be shared) repeatedly visits the URL within a short time frame. This suggests that the rate-limiting mechanism might be getting triggered even under normal usage conditions. It's important to note that this issue might not be directly related to sharing itself but rather a situation that is more like to be observed frequently in sharing due to how often shared links are revisited.

Given that shared links are more likely to be accessed multiple times, especially over time, should we consider making an exception or adjusting the rate-limiting rules specifically for these cases?

cc: @nickvergessen @come-nc @blizzz

nfebe avatar Aug 22 '24 14:08 nfebe

I’ve been able to somewhat reproduce this issue, where I encounter a 429 "Too Many Requests" response. [...]

However, I’m not entirely sure if this scenario mirrors the situation where tens or hundreds of users might be blocked, particularly when it’s a case of multiple users attempting to access the same URL repeatedly from within the same network.

Please test with IPv6. In case of IPv6, a single address from a /64 segment running into the bruteforce protection blocks the whole /64 segment (in our case: every wifi user on campus).

DanScharon avatar Aug 22 '24 14:08 DanScharon

  • Same happens for Talk btw, It's quite problematic, but I think the only chance is that each app/code that registers the attempt tracks "old valid entries" and skips them accordingly. https://github.com/nextcloud/spreed/issues/8328

nickvergessen avatar Aug 22 '24 14:08 nickvergessen