C# / .NETDevOpsMisc
C# / .NET
Protect Against Enumeration Attacks in 2022
Alexandru Puiu
Alexandru Puiu
July 15, 2022
1 min

Table Of Contents

01
How an Enumeration Attack Works
02
How to Prevent and Mitigate an Enumeration Attack In C#

Enumeration Attacks are a type of attack in which the attacker tries to guess or validate a data set with the goal of extracting more information than they had to start out. For example, finding out if a user is a member of the site by trying to log in with millions of email addresses and checking if the page responds differently to an account existing but with a bad password vs not existing in the system.

Also, check out Authentication Ideas for some things you can do to protect your login page.

How an Enumeration Attack Works

Enumeration is a type of cyber attack that involves using trial and error to find valid usernames or passwords, typically by trying many different combinations.

Enumeration attacks are often used in brute force attacks. The attacker uses a program to automatically try different passwords until they find the right one. The more guesses an attacker can make, the more likely they are to succeed at their goal.

How to Prevent and Mitigate an Enumeration Attack In C#

The first step in defending against enumeration attacks is making it infeasible to extract the data they’re after by limiting the number of attempts they can make, and monitoring user activity closely so you know when someone might be trying to break. This could be a limit on the number of attempts per account for login, or from a given IP address. Google Captcha and Cloudflare bot fighting mode can assist in preventing automated attempts from being made.

We’ll use a simple request throttling mechanism, along with an artificial delay to slow down the number of attempts an attacker can make:

private static ConcurrentDictionary<string, bool> RunningRequests = new ConcurrentDictionary<string, bool>();

Next, we’ll try to add the user’s IP Address to the list of running requests. Because it’s a Concurrent Dictionary, if they’re already running a request, then the TryAdd will fail, and we’ll just wait 3 seconds before trying again

while (!RunningRequests.TryAdd(HttpContext.Connection.RemoteIpAddress.ToString(), true))
    await Task.Delay(3000, ct);

Next, we’ll wait 3 seconds regardless of the previous one, which covers the case of the user making the first request

await Task.Delay(3000, ct);

We’ll want to do the above in a try/catch block, and then remove the user’s IP address from the list in the finally block. Otherwise, the user could be stuck not being able to make more requests.

finally
{
    RunningRequests.Remove(HttpContext.Connection.RemoteIpAddress.ToString(), out var _);
}

Then finally we’ll continue with our business logic.

Full code

try
{
    using (var client = _clientFactory.CreateClient("captcha"))
    {
        var response = await client.PostAsync("recaptcha/api/siteverify", new FormUrlEncodedContent(new Dictionary<string, string> { { "secret", _captchaSettings.Value.Secret }, { "response", model.Token }, { "remoteip", Request.HttpContext.Connection.RemoteIpAddress?.ToString() } }), ct);
        response.EnsureSuccessStatusCode();

        var captchaResponse = await response.Content.ReadAsAsync<CaptchaResponse>(ct);
        if (!captchaResponse.Success)
        {
            ModelState.AddModelError(nameof(model.Email), "Invalid captcha");
            _logger.LogWarning($"Invalid captcha doing business logic - {model.Email} - {captchaResponse.Hostname}");

            return ValidationProblem(ModelState);
        }
    }

    while (!RunningRequests.TryAdd(HttpContext.Connection.RemoteIpAddress.ToString(), true))
        await Task.Delay(3000, ct);

    await Task.Delay(3000, ct);

    //business logic
}
catch (Exception ex)
{
    _logger.LogError(ex, "Error doing the business logic");
    throw;
}
finally
{
    RunningRequests.Remove(HttpContext.Connection.RemoteIpAddress.ToString(), out var _);
}

return Json(results);

Tags

securityattack-prevention
Alexandru Puiu

Alexandru Puiu

Engineer / Security Architect

Systems Engineering advocate, Software Engineer, Security Architect / Researcher, SQL/NoSQL DBA, and Certified Scrum Master with a passion for Distributed Systems, AI and IoT..

Expertise

.NET
RavenDB
Kubernetes

Social Media

githubtwitterwebsite

Related Posts

Authentication in HttpClientFactory
Authentication in Http Client Factory
December 21, 2022
1 min

Subscribe To My Newsletter

I'll only send worthwhile content I think you'll want, less than once a month, and promise to never spam or sell your information!
© 2023, All Rights Reserved.

Quick Links

Get In TouchAbout Me

Social Media