6:09 p.m.
Il giorno gio 26 mar 2020 alle ore 17:37 Peter Schober <
peter.schober at univie.ac.at> ha scritto:
* Giuseppe De Marco <giuseppe.demarco at
unical.it> [2020-03-26 17:00]:
that's interesting Peter,
Probably that kind of abuse should be handled in a SIEM or a next-gen
firewall, or locally on the same server with those ip2ban or better a httpd
firewall, or an anti brute force applicative prevention (many on django, my
favourite framework).
I think that this aspect would be better handled in the domain of the
global security treatment of an IT infrastructure.
My point of view, simply, is the following:
the signature prevents that a fake entity could access to the credential
prompt, this latter is the way to do bruteforce attacks.
Probably a sane LDAP Enterprise deployment have a password policy with a
temporary lockout or whatever, but bruteforce happened. The MFA help in
that, but is a second step once the credentials have been stolen.
I always seen the signature as a good tool for preventing bruteforce
attacks, if some performance goes down the IdP should just scaled up soon
as possible and a good SIEM/httpd_firewall will do the rest helping us
seeing the bads and the uglies.
personal point of view, still in search of the truth ...
--
____________________
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
e-mail: giuseppe.demarco at unical.it
I never thought that a signature could be too
much computational
intensive but, it could be so.
Not a single one, but thousands of "cheap" GET requests to a
protected resource, as easily generated by a single unauthenicated
client on the network, resulting in "expensive" signing operations.
It's this asymmetry in the attacker's favor you'd want to avoid.