How do you prevent brute force attacks on RESTful data services

Adrian Grigore picture Adrian Grigore · Jun 3, 2010 · Viewed 8.4k times · Source

I'm about to implement an RESTful API to our website (based on WCF data services, but that probably does not matter).

All data offered via this API belongs to certain users of my server, so I need to make sure only those users have access to my resources. For this reason, all requests have to be performed with a login/password combination as part of the request.

What's the recommended approach for preventing brute force attacks in this scenario?

I was thinking of logging failed requests denied due to wrong credentials and ignoring requests originating from the same IP after a certain threshold of failed requests has been exceeded. Is this the standard approach, or am I a missing something important?

Answer

crazyscot picture crazyscot · Jun 3, 2010

IP-based blocking on its own is risky due to the number of NAT gateways out there.

You might slow down (tar pit) a client if it makes too many requests quickly; that is, deliberately insert a delay of a couple of seconds before responding. Humans are unlikely to complain, but you've slowed down the bots.