unshort.link icon indicating copy to clipboard operation
unshort.link copied to clipboard
verified publisher icon simonfrey

SSRF protection

Open simonfrey opened this issue 6 years ago • 3 comments

We need to protect the server from being missued, e.g. in an amplification attack. Currently I have no idea how to do that, appart from IP logging and blocking to many requests from one IP which could be circumvented quite easy and also would require the server to store user data, what I do not want :/

If anyone has ideas on that front, it would be awesome to get them here :D

simonfrey avatar Jan 09 '20 20:01 simonfrey

Cheat sheet for SSRF https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html#case-2---application-can-send-requests-to-any-external-ip-address-or-domain-name

simonfrey avatar Jan 10 '20 08:01 simonfrey

One metric could be to allow only X percentage increase of traffic to a certain site.

E.g. bit.ly normally receives 10 requests/sec do only allow spikes like 3x the the normal traffic 30 req/sec

This could be a problem if overall the traffic on the site increases, but a global factor could work here: If the overall traffic increases 20%, allow 3x10x1.2=36 request max per second for bitly.

This feature would require more in-depth tracking on link traffic bases. This is no problem for privacy as it is not required to store any userdata to fullfill this metric

simonfrey avatar Jan 12 '20 13:01 simonfrey

CSF (free but not opensource software) can setup iptables firewall rules settings for that ? Maybe mod_evasive for apache can help ?

Madydri avatar May 27 '21 20:05 Madydri