Page MenuHomePhabricator
Create Task
Maniphest T304985

Throttling mitigations against password sprays attacks
Open, Needs TriagePublicSecurity
Actions

Description

“Password sprays” attacks aim at collecting a maximum number of couples (account, password), targeting either accounts with low-entropy passwords either high-value accounts (sysops or more). See for instance this blog post from Microsoft about this attack.

I open this task to propose and discuss about mitigations in MediaWiki core, particularly throtting. Other types of mitigations to encourage users to use robust passwords and authentication methods are already available: $wgPasswordPolicy in core, extensions ConfirmEdit, OATHAuth, WebAuthn…

I open this task as a security task, but it can become public given there is no immediate threat, but this about increasing security standards (although possibly some attackers are monitoring Phabricator and this would be an easy clue about absence of throttling countermeasures against password sprays – I don’t know).

Affiliation: Wiki Valley
CC: Navid, apprentice in IT security in our company

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Event Timeline

Seb35 created this task.Mar 29 2022, 6:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 29 2022, 6:58 PM
Seb35 added a project: MediaWiki-Core-AuthManager.Mar 29 2022, 7:01 PM

I see two mitigations of type “throtting”, a simple one and another slightly more complex.

I. Simple: implement a per-IP authentication throttling for failed logins:

Currently the throttler for authentications (MediaWiki\Auth\Throttler and MediaWiki\Auth\ThrottlePreAuthenticationProvider::testForAuthentication()) only limits throttling per-IP-and-account and per-account, but not per-IP for all accounts. This could be easily implemented by adding a 'allAccounts' keyword in the config $wgPasswordAttemptThrottle.

A difficulty here is the question: when and how the data should be cleared:

  • reset to 0 for the IP in case of successful login; but is it a legit user or a password-spray attack finding a low-entropy password?
  • decrement the counter of a given number (e.g. N=2) to slow down the password-spray attack but still avoid too much false positive like an edit sprint with many newcomers behind the same IP in a museum/library?
  • do not clear this counter (same as previous one with N=0) and let it expire when the period is over, this is more strict

This number N (nonnegative integer or Infinity to reset the counter) could be a parameter 'strictness' or whe can fix it in the code.

II. Use more data in the throttling logic like User-Agent:

Currently the throttling logic in MediaWiki\Auth\Throttler::increase() has only a knowledge of the username and IP. According to Microsoft, the User-Agent is sometimes a fixed value/fingerprinting method during a password spray attack. Given the variability in User-Agent strings and the evolving threat, I’m not sure it would be a good design decision to fix a given scenario with the User-Agent and implement a fixed configuration with one or some scenarii, but I would propose here to add a hook with the whole HTTP request.

With a hook, sysadmins can define their own scenarii, and it can evolve more quickly and easily according to the threat. For instance and depending on their infrastructure, they can compute JA3 fingerprints or other fingerprints of known password sprays softwares and integrate more deeply MediaWiki with other security tools.

sbassett subscribed.Apr 4 2022, 3:39 PM

Triaged by the Security-Team during our clinic. This seems more like a code-hardening effort/new feature request, so it can be made public.

sbassett changed Author Affiliation from Other (Please specify in description) to Wikimedia Communities.Apr 4 2022, 3:39 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
sbassett edited projects, added SecTeam-Processed; removed Security-Team.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL