ratelimit bad responses

[porjo]

I'd like to create a middleware that limits the number of bad responses a client can generate per hour. For example, a failed auth attempt may generate HTTP 401. To combat password brute force attacks, it would be nice to only allow each client IP to make, for example, 10 per hour.

I've taken a look at the existing ratelimit plugin, however it seems that I would not be able to extend it using the method described in the doco under 'Programmatic rate limits' as the decision on whether to block or accept needs to be made by my plugin before the request is passed on.

I'd be interested to hear people's thoughts on how best to approach this. Can anyone point me to existing code that does a similar thing?

[klizhentas]

I actually spent some time thinking about the similar problem we have at Mailgun and discussed the possible solutions with peers at the office a while ago.

My suggestion is to implement a special plugin - fail2ban

fail2ban has two properties, pattern and action.

• pattern is a metric-based patter to activate the action, similar to what we have in the circuit breaker:

http://docs.vulcand.io/proxy.html#circuit-breakers

The simple language would allow fail2ban to match suspicious errors by looking at the response code ratio, as in the example below, where we calculate the ratio of "unauthorizied" response codes to all other response codes in a 10 second time window:

ResponseCodeRatio(401, 403, 0, 600) > 0.5

• action would be able to specify the desired side-effect. One of the side effects I personally want to implement is a blocklist, that is backed to etcd backend, e.g.:

So we will block the client IP for 60 seconds to prevent brute-force attacks:

BlocklistUpsert(ClientIP(), "60s")

We should be able to block requests by IP, by URL, header and so on.