Skip to content
Related Articles
Get the best out of our app
GFG App
Open App
geeksforgeeks
Browser
Continue

Related Articles

No rate limiting flaw in cyber security

Improve Article
Save Article
Like Article
author
pradiptamukherjee
scholar
53 published articles
Improve Article
Save Article
Like Article

Rate limiting is a process to limit requests possible. It is used to control network traffic.Suppose a web server allows upto 20 requests per minute. If you try to send more than 20 requests, an error will be triggered. This is necessary to prevent the attackers from sending excessive requests to the server.

No rate limit  is a flaw that doesn’t limit the no. of attempts one makes on a website server to extract data.It is a vulnerability which can prove to be critical when misused by attackers.

REAL LIFE EXAMPLES :

  1. When you try to login to your account, after 3-4 wrong attempts, your account gets  suspended for some hours.Rate limiting is the reason behind it!
    Example-

         2.The otp you get has some time limit, after which your otp becomes invalid. Here too, rate limiting is the reason behind it.    
           Example –

USES OF RATE LIMITING FEATURE :

  • reduces excessive load on web servers
  • prevent DOS(denial of service) attack
  • help stop certain kinds of malicious bot activity like login to an account using multiple guess password and user id
  • Also prevent brute-force attacks

RECENT RATE LIMITING FLAW IN ZOOM APP :
The zoom app has become popular in the lockdown , it has become an essential alternative to offline classes.Attackers were successfully able to crack the password of the private meetings by exploiting the no-rate limit flaw vulnerability of zoom app.Zoom web client allowed brute force attempts to crack password protected private meetings that occurred in Zoom.Later, this vulnerability was patched by security experts.

BUSINESS IMPACT :
Let’s take an OTP situation. Now suppose, the length of otp is 3 digits and an attacker is guessing the otp for successful transaction theft. If no rate limiting is implemented in the web application, the hacker can manually type 000-999 values on otp to check which one is correct. This method is a little bit cumbersome, so the hacker can use a burp suite tool to do the same job in less time.Hence, after 30min, the otp gets unlocked and the attack is successful.
Now, in the same scenario, if rate limiting was implemented in a web application, suppose allow only 5 attempts or a time limit of 2 minutes. In this case, it’s almost impossible for the hacker to crack the otp . Thus,preventing the attack from happening.

HOW TO PREVENT RATE LIMITING FLAW?

  • Monitoring API activity against your rate limit.
  • Catching errors caused by rate limiting.
  • Reducing the number of  requests.
  • Extra precautions are taken with login, otp, vouchers etc.
My Personal Notes arrow_drop_up
Last Updated : 22 Jun, 2022
Like Article
Save Article
Similar Reads
1. Cyber Security and Cyber Crimes
2. Difference between Cyber Security and Information Security
3. Difference between Network Security and Cyber Security
4. How Security System Should Evolve to Handle Cyber Security Threats and Vulnerabilities?
5. Difference between Software Security and Cyber Security
6. Difference between Bit Rate and Baud Rate
7. Information Security and Cyber Laws
8. Cyber Security in Context to Organisations
9. Cyber System Security
10. 8 Cyber Security Threats That Can Ruin Your Day in 2020
Previous
Electronic Data Interchange Analyst
Next
Read Only Memory (ROM)
Article Contributed By :
https://media.geeksforgeeks.org/auth/avatar.png
pradiptamukherjee
@pradiptamukherjee
Vote for difficulty
Improved By :
Article Tags :
Practice Tags :
Report Issue
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox