Improper Control of Interaction Frequency

Need

To prevent server saturation and potential Denial of Service (DoS) attacks

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Elixir Plug for handling HTTP requests and protecting against attacks

• No rate limiting for API requests

Description

1. Non compliant code

defmodule VulnerableApp.ApiController do
  use Plug.Router

  def index(conn, _params) do
    # API logic here
    send_resp(conn, 200, "OK")
  end
  plug :match...

The following Elixir code exposes an API endpoint without any rate limiting, allowing clients to send as many requests as they want in a short period of time. This makes the application vulnerable to DoS attacks and log flooding.

2. Steps

• Use the 'plug_attack' library or similar to implement rate limiting on your API endpoints.

• Define rate limit rules based on your application's requirements and capacity.

• Apply these rules to your API endpoints.

3. Secure code example

defmodule SecureApp.ApiController do
  use Plug.Router
  use PlugAttack

  plug PlugAttack.Blocker, otp_app: :my_app, name: :api

  def index(conn, _params) do
    send_resp(conn, 200, "OK")...

The following Elixir code uses the 'plug_attack' library to implement rate limiting on the API endpoint. This prevents clients from sending too many requests in a short period of time, protecting the application from DoS attacks and log flooding.

References

• 108. Improper Control of Interaction Frequency

On this page