1

I'm working on a authorisation project utilising ASP.NET Identity.

It appears to offer the majority of features one would expect to see, and indeed most of what we require.

One feature I wish to support is to mitigate the risk of a brute force attack. I understand there is an Account Lockout feature which will help stop an attack against a given username. However this will not mitigate against a username enumeration attack (i.e. trying a given password against different accounts).

I can't find anything in the documentation and was wondering if anyone else knew better. Or would I have to implement something myself. Or use IIS.

Many thanks in advance.

toepoke.co.uk
  • 827
  • 1
  • 7
  • 19
  • AFAIK there is nothing built-in but you can do locking (with timeout) using IP address. See for example [this post](http://stackoverflow.com/questions/22471907/block-user-ip-after-5-unsuccessful-login-attempts) but on the net there are better resources. – Adriano Repetti Sep 05 '14 at 11:33

1 Answers1

1

You could use the MvcThrottle package, it lets you define rate limits based on IP and URL.

In your case you could throttle the Login action like this:

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        var throttleFilter = new ThrottlingFilter
        {
            Policy = new ThrottlePolicy(perSecond: 10)
            {
                IpThrottling = true,
                EndpointThrottling = true
            },
            Repository = new CacheRepository()
        };

        filters.Add(throttleFilter);
    }
}

Attribute based rate limiting:

[EnableThrottling(PerSecond = 2)]
public ActionResult Login()
{
  ...
}

For more configurations details check out the setup tutorial.

Stefan P.
  • 9,489
  • 6
  • 29
  • 43