Improper Control of Interaction Frequency - Elixir

Need

To prevent server saturation and potential Denial of Service (DoS) attacks

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Elixir Plug for handling HTTP requests and protecting against attacks
3. No rate limiting for API requests

Description

Insecure Code Example

defmodule VulnerableApp.ApiController do
  use Plug.Router

  def index(conn, _params) do
    # API logic here
    send_resp(conn, 200, "OK")
  end

  plug :match
  plug :dispatch

  get "/", do: index(conn, params)
end

The following Elixir code exposes an API endpoint without any rate limiting, allowing clients to send as many requests as they want in a short period of time. This makes the application vulnerable to DoS attacks and log flooding.

Steps

1. Use the 'plug_attack' library or similar to implement rate limiting on your API endpoints.
2. Define rate limit rules based on your application's requirements and capacity.
3. Apply these rules to your API endpoints.

Secure Code Example

defmodule SecureApp.ApiController do
  use Plug.Router
  use PlugAttack

  plug PlugAttack.Blocker, otp_app: :my_app, name: :api

  def index(conn, _params) do
    # API logic here
    send_resp(conn, 200, "OK")
  end

  plug :match
  plug :dispatch

  get "/", do: index(conn, params)

  defoverridable [block: 2]
  def block(conn, _opts), do: send_resp(conn, 429, "Too Many Requests")
end

The following Elixir code uses the 'plug_attack' library to implement rate limiting on the API endpoint. This prevents clients from sending too many requests in a short period of time, protecting the application from DoS attacks and log flooding.

References

Last updated

2023/09/18