Set a rate limit
Summary
The server must have a rate limit to control interaction frequency.
Description
Several attacks depend on executing a huge amount of requests from a single host. For instance, it is possible to exhaust a server's connection pool with a single machine by using asynchronous requests, effectively causing a Denial of Service (DoS). These and other attacks, such as the ones depending on brute force, can be thwarted, or severely hindered, by limiting the number of requests that a single host can send to the server in a short period of time. Therefore, server settings should include a rate limit that considers a regular request flow between a host and the server.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-49. Password brute forcing
- CAPEC™-125. Flooding
- CAPEC™-130. Excessive allocation
- CWE™-307. Improper restriction of excessive authentication attempts
- CWE™-770. Allocation of resources without limits or throttling
- CWE™-799. Improper control of interaction frequency
- OWASP TOP 10-A4. Insecure design
- Agile Alliance-11. Best architectures, requirements, and designs
- ISA/IEC 62443-RA-7_1. Denial of service protection
- WASSEC-6_2_1_1. Authentication - Brute force
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- WASC-A_11. Brute force
- WASC-A_10. Denial of service
- WASC-A_34. Predictable resource location
- ISSAF-E_22. Network security - Switch security assessment (layer 2 port authentication)
- ISSAF-H_14_13. Network security - Intrusion detection (detection engine)
- ISSAF-P_4. Host security - Linux security (identify ports and services)
- ISSAF-Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)
- ISSAF-T_11_1. Web application assessment - Brute force attack
- ISSAF-T_16_2. Web application assessment - Input Validation (test buffer overflow)
- NIST 800-115-4_2. Network port and service identification
- OWASP ASVS-5_1_2. Input validation
- OWASP ASVS-11_1_2. Business logic security
- OWASP ASVS-11_1_3. Business logic security
- OWASP ASVS-11_1_4. Business logic security
- CASA-5_1_2. Input Validation
- CASA-11_1_4. Business Logic Security
Vulnerabilities
- 002. Asymmetric denial of service
- 003. Symmetric denial of service
- 047. Automatic information enumeration
- 053. Lack of protection against brute force attacks
- 057. Asymmetric denial of service - Content length
- 108. Improper control of interaction frequency
- 122. Email flooding
- 211. Asymmetric denial of service - ReDoS
- 231. Message flooding
- 252. Automatic information enumeration - Open ports
- 253. Automatic information enumeration - AWS
- 254. Automatic information enumeration - Credit Cards
- 330. Lack of protection against brute force attacks - Credentials
- 356. Symmetric denial of service - SMTP
- 357. Symmetric denial of service - FTP
- 423. Inappropriate coding practices - System exit
- 442. SMTP header injection
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.