Throttling & Blocking Bad Requests in Phoenix with PlugAttack - Michael Lubas - Elixir Meetup #4
At Elixir Meetup #4, Michael Lubas presented the importance of protecting applications from credential stuffing attacks and shared practical strategies to mitigate such attacks using PlugAttack.
About Michael Lubas
Michael Lubas is the founder of Paraxial.io, a company focused on detecting and blocking malicious bots targeting Elixir and Phoenix applications. With a professional background in software security, Michael has extensive experience in bot detection and Elixir security.
Understanding Credential Stuffing Attacks
What is Credential Stuffing?
Credential stuffing is a type of cyber attack where attackers use automated scripts to perform login attempts using stolen username and password pairs. Michael explained how these attacks are performed and why they pose a significant threat to web applications.
Key Points:
- Stolen Credentials: Attackers use leaked credentials from data breaches.
- Automated Login Attempts: Scripts are used to automate login requests.
- Success Indicators: Successful login attempts signal valid credentials.
Setting Up the Defense
Introducing PlugAttack
PlugAttack is a set of macros that can be used to build a plug to protect web applications from bad clients. Michael highlighted the flexibility and effectiveness of PlugAttack in mitigating credential stuffing attacks.
Key Features:
- Throttle Requests: Limit the number of login attempts from an IP address.
- Ban IPs: Temporarily ban IP addresses sending too many requests.
- Custom Rules: Define rules to match specific request patterns.
Implementing PlugAttack in Phoenix
Step-by-Step Implementation
Michael provided a detailed guide on implementing PlugAttack in a Phoenix application. He covered setting up a victim application, creating a script for automated logins, and configuring PlugAttack to throttle and ban IP addresses.
Steps:
- Set Up Victim App: Create a Phoenix application for demonstration.
- Automated Logins: Write a script to simulate credential stuffing.
- Define Throttle Rule: Use PlugAttack to throttle login requests.
- Add Plug to Router: Integrate the plug into the Phoenix router.
Practical Example
Throttling and Banning
Michael demonstrated the implementation of two key rules: throttling and banning. He explained how to set limits on login attempts and how to ban IP addresses that exceed these limits.
Example Rules:
- Throttle: Limit to 10 login attempts per minute.
- Ban: Ban IP addresses sending 50 login attempts in a minute.
Testing and Verifying
Simulating Attacks
To verify the effectiveness of PlugAttack, Michael showed how to simulate credential stuffing attacks using a script. He demonstrated how PlugAttack successfully throttled and banned the attacker’s IP address.
Key Observations:
- Throttle Response: Requests beyond the limit are dropped.
- Ban Response: Excessive requests result in a 403 Forbidden status.
Advanced Configuration
Multiple Rules and Conditions
Michael explained how to configure multiple rules and handle complex conditions. He shared tips on organizing plugs and ensuring that rules are applied in the correct order.
Key Tips:
- Order of Plugs: Ensure broader rules are applied before narrower ones.
- Combining Rules: Use multiple plugs for different conditions.
Best Practices and Tips
Enhancing Security
Michael provided additional tips for enhancing security, such as using the remote_ip library to get the correct client IP and considering persistent data stores for long-term bans.
Best Practices:
- Correct Client IP: Use remote_ip to handle proxies.
- Persistent Bans: Use databases or external services for long-term bans.
Q&A Highlights
Audience Questions
During the Q&A session, Michael addressed several questions from the audience, covering topics such as the applicability of PlugAttack to non-auth requests, advantages over load balancers, and real-world use cases.
Key Takeaways:
- Flexibility: PlugAttack can throttle any type of request.
- Integration: Tight integration with Phoenix provides better control.
- Use Cases: Protect login forms, account creation, and other sensitive routes.
Conclusion
Michael Lubas’s presentation at Elixir Meetup #4 provided valuable insights into protecting Phoenix applications from credential stuffing attacks using PlugAttack. By implementing the strategies and best practices shared, developers can significantly enhance the security of their applications.
Join the Community
Ready to explore the reliability of Elixir and Erlang?
Register for the next Elixir Meetup at Curiosum Meetups: Registration Join our community of Elixir enthusiasts at Elixir LinkedIn Group Prefer watching the presentation? Here’s the video