How to protect an OpenID consumer against abuse?

Question

I am considering OpenID as a login method for my PHP application, but there is one thing that prevents me from continuing: how can I protect an OpenID consumer against abuse?

An example of abusing OpenID by using a consumer as proxy

Abuse includes flooding other servers with requests, using my application as a proxy, passing a large download as URL or unnecessarily slowing down the server by doing a lot requests.

I guess I should implement rate-limiting on doing requests, but how am I supposed to do that? Possible attackers could use other proxies or TOR for bypassing IP checks. Limiting the providers which are allowed would be against the principles of OpenID right?

I do not expect my users to be evil, but I'd like to know which things I need to take into account before adding another possible attack vector.

Should it matter, I'm about to use lightopenid as back-end for the PHP application.

Answer 1

You need to separate the attacks into two pools. 1) Attacks against your own site, and 2) Attacks against someone else using you as a proxy. Neither of these issues are new or unique to OpenID. For example the classic "tell a friend" email forms could be automated to send out email spam from the proxy party's IP address and email, shielding the spamming party from consequences and providing them with a (potentially) clean IP/email that isn't already flagged by spam protection. This was primarily addressed with the "CAPTCHA" to prevent automated use of the form.

For attacks against your own site, this has all been covered countless times before. Try here: protect your self against DOS attacks

For attacks against someone else's site, many of the same principals apply as mentioned in that other question. Throttle authentication requests, reject unreasonable or malformed requests, verify the Content-Length header against actually content on POST back and of course you can always add the classic "CAPTCHA" to help prevent automated attacks using your OpenID consumer.

Also contrary other suggestions here, I wouldn't throttle based on the OpenID TLD, but rather the requesting party's IP address. Yes people can rent proxy IPs, but you can't fairly throttle based on the TLD as the userbase for each OpenID provider will vary widely. You can also purchase a database of known proxy IPs from a company like MaxMind. If the user is coming from a proxy IP, increase the aggressiveness of your throttling.

Answer 2

Slow down requests proportionally to the number of times a certain domain has been requested.

For example, suppose that somebody tries to use you to DOS the server example.com by requesting many URLs like http://example.com/foo, http://example.com/bar, http://example.com/foobar120382. Consider all this requests as requests for example.com and execute the first request without any delay. Delay 2 seconds before making the next request, delay 4 seconds before making the third request, delay 8 seconds before making the forth request, 16 before the fifth and so on.

Such little delays are pretty much unnoticed by human users but will highly reduce the ability of your server to act as a DOSsing proxy. Just think that the 12th request will be blocked for more than one hour (if you use powers of two).

Obviously you should also create some kind of white- or gray-list for common large OpenID providers like Google or myOpenID. Those domains are likely to be requested very often.

Answer 3

I would do something simpler. Limit the OpenID endpoints to a limited set of trusted ones: Google, wordpress, myopenid, yahoo. It will probably cover most of the users, and will not make it possible for bots to make your site generate traffic to random sites.