June 6th, 2022 × #security#bots#spam
Stopping Malicious Actors
Wes Bos and Scott Tolinski discuss ways that malicious actors can abuse your web application, and different techniques to prevent abuse like rate limiting, shadow banning, tokens, CAPTCHA, and more.
- Stopping malicious actors
- Malicious actions people can take
- Ways to stop malicious actors
- Rate limiting requests
- Shadow banning bad users
- Limiting requests over time
- How Reddit handles shadow bans
- Using tokens to limit access
- CSRF tokens for security
- Using CAPTCHA for humans
- Concerns with reCAPTCHA
- Easier CAPTCHAs get broken faster
- DDoS protection services
- Banning abusive IP ranges
Transcript
Scott Tolinski
CSD. Welcome to Syntax.
Scott Tolinski
On this Monday, hasty treat.
Stopping malicious actors
Scott Tolinski
We're gonna be talking about malicious actors and how we can stop them. I'm not talking about film actors. I'm talking about people using your stuff. So people who are using your stuff and who are up to no good, we're gonna be talking about how to stop them from doing their wrongdoing. So My name is Scott Tolinski. I'm a developer from Denver, Colorado. And with me as always is Wes Bos.
Wes Bos
Hey.
Wes Bos
Excited to talk about the bad guys today.
Scott Tolinski
It. Talking about the bad guys.
Scott Tolinski
This episode is sponsored by 2 amazing companies, which is Linode and Sentry. Wes, would you love it. To talk about Linode, and I would love to talk about Sentry. Would love to talk about Linode. Linode is
Wes Bos
a cloud computing and Linux Servers are alternative to AWS.
Wes Bos
Linode is awesome. They have products for literally everything. Probably, what you, the listener, wanna use is You can spin up a little Linux server real quick. They have lots of images already that you can like, oh, I wanna use Node. Well, they've got a Node image. Just spin that sucker up, And you can right away deploy your Node application to it.
Wes Bos
They have shared CPU, high memory, block and object storage, backups, manage databases, MySQL, you name it, DDoS protection, DNS management, node balancers, virtual LAN.
Wes Bos
If you want to, host your website or use any of their other services, you're gonna wanna check out Linode@linode.
Wes Bos
S com forward slash syntax. It's gonna get you $100 in a free credit to Linode, which is Amazing. That's a really good deal. Thank you, Linode, for sponsoring.
Scott Tolinski
Sick. This episode is also sponsored by Century. The perfect place to track all of the things that are going wrong on your site but also potentially make sure that some of your things that you set in place here with our malicious actors there maybe potentially Working or not? Because what Sentry does is it gives you all kinds of logging information for your site about errors and exceptions in performance and more. This allows you to see exactly what's happening on your site really at any given time in a way that makes it so that you can fix things before they are a big, big problem. In In fact, anytime that I do releases, which, of course, I I gotta do releases. Everybody's releasing stuff. I gotta release stuff. Anytime you do releases of new code, it's always important that you know it. That your code is as bug free as possible where you can get actual messages if, let's say, you fix The problem and it returned, you're gonna get an email saying there was a regression for that specific issue.
Scott Tolinski
You can tie issues to specific releases, it. Users, GitHub issues, all that and more. Check it out at century.i0.
Scott Tolinski
Use the coupon code tasty treat, all lowercase, all one word, and you'll get 2 months for free. Thank you so much it. To both of our wonderful sponsors today who are not malicious actors. Wes, malicious actors.
Malicious actions people can take
Scott Tolinski
These are these are the people who are coming into your site, And they're trying different things. They're they're plugging and playing in your API. They're hitting your site in all sorts of ways. They're trying to test your site in different types of ways. Let's talk a little bit about what kind of bad things can happen to your application first and foremost, and then let's talk about some of the solutions.
Wes Bos
Yeah. Yeah. Exactly. So, you talk about malicious actors. Somebody comes to your website, and they want to abuse the features you have For the well intentioned people so that they can cause spam your website or Cause you resources or undue stress or any of these things. So, what are bad things that can happen? So someone can submit a form over and over and over again or 10000 emails.
Wes Bos
Yeah. 1010 emails filled with stolen credit card data, or literally just Run up your database so the thing falls over.
Wes Bos
Someone can submit directly to your API. So, we've talked about this many times in the past. We've had a shows on how to do this. People will open up the network tab and look at what API endpoints you are using and try to reverse engineer all the documentation for it. And if they have access to that, it's not necessarily a bad thing because that's how websites work. It's all it's all public. But If they can use that API directly, not as you intended, you could possibly have some downsides to that.
Wes Bos
Someone could sign up with an email that isn't theirs.
Wes Bos
Someone can abuse a resource that will cause strain on your server. That's generally called the DDoS attack where You visit a website that takes a little bit of energy from your server to load that page. Okay. Now do it a 1000 times per second. Alright. That's starting to get. Oh, it's that TikTok. Oh, that's a lot of slices.
Wes Bos
Okay. Now do that a 100,000 times a minute. That's a lot of slices, you know, That will cause your website to fall over. Someone could spam public facing Things like anywhere you have a website that people can type in and, post a comment or review or or literally anything, it. They can, fill that form up or they could, put JavaScript in there that will steal your passwords or you name it so this affects everyone and and to give you
Scott Tolinski
just a scope about how you know how This isn't just, you know, small little website mom and pop website here. I mean, Google has major issues with this even in in YouTube. I still it. Get a spam comment just on on just about every single YouTube video I post, and they're all from different accounts. So there's tons of malicious actors out there hitting all sorts of things whether it is just sharing links to sites that can infect you with malware or sharing links to sites that, maybe increase some sort of conversion for them or something. I mean, there's always some sort of reason why they're doing these things, and it's not good for you or your users, but See here is potentially at fault. So how do you stop these people from
Ways to stop malicious actors
Wes Bos
doing malicious things? Well, without having to hurt You're proper users.
Wes Bos
And there's always a little bit of give and take. The probably the most straightforward one is that we sometimes have to select boats CS or stoplights from a CAPTCHA, because the world is broken, and, there are people that will abuse that. Right? So you have to There's, like, a fine balance between annoying your good users and stopping the bad people from from doing things.
Rate limiting requests
Wes Bos
So first one is rate limiting, And what that means is that people can only do something so many times before you say, alright, you've done it too much. So, you can rate limit someone by IP address.
Wes Bos
I specifically do that, and it got it bit me once, Because I think I say, like, you can only try do these things 10 times every 15 minutes or something like that.
Wes Bos
And somebody once had their entire class of 100 students sign up for my course as part of the class, and then they, It was hilarious. 1 of the students sent me a DM on Twitter, and they're like, hey. Our teacher is trying to like, today's course is take Wes' Takes Wes's videos, and we can't get access to it.
Wes Bos
So, someone's trying to share passwords, and It's not working, so I was like, oh, shoot. Like like, that's a legitimate. There's a school, has a single IP address, and they need to sign up 100 times in a minute. So I had to manually process those. I said, hey, give me a list of email addresses as quick as you can, and I got them up and running and they could do their class. But, Again, that's that's an example of a process put in place to stop malicious people from doing things And you actually hit legitimate,
Scott Tolinski
use cases. Yeah. One thing I do is is I I have, like, some function that's only for specific users who are logged in, And they would create fake accounts, and then they would have a logged in account and then hit the thing, you know, a 100 times.
Scott Tolinski
So instead of banning their IP, I would I would have a class or a role on the user that would ban the user would be banned, and their resolver would just return the user object as if they were not logged it. So the user of the robot, the UI, would see that the user is not logged in, but they were given no ability to log out. There's no API method they they could access to log out. There's nothing that they could do to log out, or it wouldn't let them relog in. It would just make them, it. Make the computer the the computer or user visually feel like they are not logged in even though they are.
Scott Tolinski
That that actually works pretty well, I think. Yeah. Oh, that's great. It's always nice when you can
Wes Bos
screw around with the the people that is doing the most. Unfortunately, it's Almost not almost never, but it is often bought Just a robot. Know how to do these things. It's not actually people. It's just someone that's written a bot And they're going to try these 10 things that are known to work on 100,000 websites. And it's a it's a numbers game. Definitely. Exactly.
Shadow banning bad users
Wes Bos
Also, you can limit by cookie. So that's another one is that if you don't want to limit by IP, you can say, all right, you set a cookie, and they can only do it so many times. That's Also easy to get around. That's how, newspaper websites generally do it. You you reached your free articles, for the day.
Wes Bos
If you delete your cookie or open up a new browser or incognito mode or anything. You can you generally get around that as well. But, that's certainly a good way to stop most people, that are not necessarily, Doing things they don't know necessarily had know how to clear their cookies or something like that. Yeah, totally.
Wes Bos
These rate limiting things will generally allow you to specify tries and time. So it's the rate limiting is generally a mix of how many times can they try and what's the period that they can try within.
Limiting requests over time
Wes Bos
So it's not like you can try 10 times and then that's it. And it's not like you can only try once every 15 minutes. You can say, alright. Well, you got It's like a password, you know? You're like, you're trying to type in a password and you get it wrong 4 times and you're like, please, please let this be it, you know? Yeah.
Scott Tolinski
Yes. I it. Want to get banned. I don't wanna have to call the phone number to get on there. Exactly. Whatever they ask you to do. That's another beautiful thing about password managers that never happens anymore. You just have to
Wes Bos
pop it in.
Wes Bos
Other ways you can get around this silly question asking what is 2 plus 4? I know my kids Specifically, I have this on iPad apps. This is not to stop malicious actors, but it's a great way to make sure that the ad is actually a human from going Going forward, so you can simply ask, like, which one of these animals barks? With AI, those things are starting to get much smarter.
Scott Tolinski
But, again, most cases, these people don't have AI. Yep. The shadow ban is kind of what I did, where you're banning a user And almost they don't necessarily know that they're banned. Right? That's that's what I think of as a shadow ban. It's like, basically, you're you're removing their features. But To them, they don't see that as their features are removed necessarily, or they can't tell.
Scott Tolinski
You know, Reddit Reddit does a lot of, like, shadow banning or banning, I think, really well.
How Reddit handles shadow bans
Wes Bos
That's why if you like, if you go to Reddit and it says, like, 8 comments or even on Twitter, you said 3 replies and you click through to it. There's only 2.
Wes Bos
It's likely because they whoever posted a reply is shadow banned, but the person but from their end, everything everything looks like it worked properly. Their Reddit comment is showing up. Their YouTube comment is showing up. But in reality, the rest of the world can't see it, and that's Very frustrating to somebody who's trying to be malicious. Totally. Next, we have tokens.
Wes Bos
These are called nonce.
Using tokens to limit access
Wes Bos
I I think
Scott Tolinski
I always Yeah. I always say nonce. I don't know if that's actually how you say it. Once. Like, you can do it once.
Wes Bos
I I don't know. That's it. So I yeah. I just say I say nots, but, yeah, Nuance is kind of no. I think nots is the is the actual word. What these are When you load a form, let's say you have a form to sign up, and that form pings your API of forward slash new user.
Wes Bos
And you to that API, you you give it a username and a password.
Wes Bos
Generally, you'll also need a knots with that. Otherwise, someone could just hammer that API endpoint directly without even being in the browser. But, generally, what a nonce will do is you load the page, it will give you a token, and it says, alright. Here's a token.
Wes Bos
You can use this to go ahead and create a new, user. But if you were to try to create a new user without the token, then you're going to have a bad time. Kind of like when you go to winter carnival with my kids this weekend and they tried to, like, play a game and they're like, you don't have any tickets.
Wes Bos
Right? So, like, you're there. You're able to play, but you don't have tickets. So, like, we had to okay. We have to go to this the thing, get a ticket, and come back and say, alright. Now I have the ability to do that.
Scott Tolinski
Yeah. That's often how you see payment processors work too. Right? You hit your payment API. You get the nonce. You send that nonce to the server, and then the server can process That that request.
Wes Bos
Exactly. And it's the server oh, we we should say it's the server is expecting That the token it can decrypt the token and and make sure that that is a token that was issued.
Wes Bos
In general, sometimes those tokens will be tied to specific IP addresses or any other stuff we talked about as well. Totally word. There's CSRF. We have a whole show, cross site Request forgery.
Wes Bos
So c s r f or x s r f tokens are kind of similar to nonce. They're they're tokens that Are that must be sent along with the request.
CSRF tokens for security
Wes Bos
Otherwise, you go to back. Listen to the whole show on CSRF. It's basically to stop people when you're logged in from 1 website and pinging it from another website when there are course Allowances between those websites, but you wanna make sure that people aren't pinging it pinging your bank account from Facebook or something like that.
Scott Tolinski
Yeah. Totally.
Wes Bos
CAPTCHA. We all know CAPTCHA is. Yeah. Yeah. CAPTCHA as you type in the thing. There's a whole bunch of other ones. The invisible recapture it from Google is pretty good, because it will only pop up.
Using CAPTCHA for humans
Wes Bos
H k. That's from Cloudflare. Right? Or is that just a open source one? See, I'm gonna Google it right now. It's not. We've we've done this before. I told you. We've done this for Cloudflare. It's not.
Wes Bos
Yeah. Cloud file use it. HCaptcha. It works fine. It works very well. So yeah. It hCaptcha is nice because The the thing about using recapture is you're literally letting Google in on every single page of every single website.
Concerns with reCAPTCHA
Wes Bos
And, Like, maybe we shouldn't allow that to have a
Scott Tolinski
like, recaptcha is the worst of all of them in terms of user annoyance.
Scott Tolinski
It. Like, how many times have you had a recapture that's like, select all the the the, stoplights, and then you get a tiny little sliver of a spotlight stoplight or whatever. You're like, what? It. Select all the bicycles.
Scott Tolinski
There's only there's only, there's only motorcycles on this. What am I supposed to do? You think these motorcycles are bikes? What do you do? What? Why am I trying to, You know, pick these things out for you, dumb computer. You know, the one I like the most is the one where you just drag the puzzle piece into the puzzle piece. Yeah. That's the one I like. Was using that.
Wes Bos
Yeah. Yeah. I like that one. What is that called? I I tweeted about it a couple months ago, and someone said what it what it was.
Wes Bos
It's a Chinese company.
Wes Bos
Somebody somebody wrote a a bot to detect how to do that in Puppeteer. There's a really good blog post on Medium on how to How they use machine learning to go pass it. So that one's been broken? Yeah. Well, like, that's the thing is that we love those ones because they're easy.
Easier CAPTCHAs get broken faster
Wes Bos
It. And websites don't necessarily love those ones because the easier they get for us, the, easier they also get for the robots. Yeah. And the thing I think you probably hit a lot more captures than I do because you are often on a VPN. Right? Yep. And every time you search for anything.
Scott Tolinski
Yeah. Google's like, are you on a VPN on your IP? Flag your IP for something.
Wes Bos
Yeah. Yeah. That that can be really frustrating.
Wes Bos
So there's always this, like, constant battle between privacy and, like, you the good people want privacy, but bad people also What privacy? There is DDoS protection on a lot of hosted services. Cloudflare is probably the biggest one out there.
DDoS protection services
Wes Bos
They have a whole lot of special sauce that, like, I have a feel. I always wanted to know, like, Cloudflare. Like, They probably have just, like, this room of people who are, like, part of the CD underbelly of the Internet, and they know, Like, all the bad stuff that's going on because, like, let alone us trying to protect our little video websites. Right? Like, what kind of stuff do they see of Yeah. Right. Yeah. Totally. The world's banks and stuff. And then the last 1 is, you can ban specific ASNs.
Wes Bos
So an ASN number, What does ASN mean? Alberta student number. No. Yeah. I don't know what ASN means. Autonomous system number. So every time there is an ISP, so DigitalOcean, Linode, Cloudflare, your Comcast, AT and T, every single ISP out there will have an ASN.
Wes Bos
So whether they are hosting provider or Internet provider, they have a number, And there are a lot of known bad hosts that will allow CD stuff to happen on it. Like if you try to you're trying to run a script on Linode that is doing some bad Stuff you're going to get kicked off on notes so quick. But there there is a lot of, like, kind of underbelly Hosting providers out there that turn their eye, and they're the ones that host things like these course platforms that steal our courses and do DDoS attacks and whatever. And as long as the bills getting paid, they don't they don't necessarily care.
Banning abusive IP ranges
Wes Bos
And you can get go online and find lists of known ASNs, and you can just completely ban them from visiting your website entirely. So that is another trick that a lot of people do.
Wes Bos
So that is stopping malicious actors. There's just a couple of things here and there you can do.
Wes Bos
It's generally good to put A lot of the especially rate limiting and captures in place. Yeah. Before you have trouble with that type of stuff, because it's not if somebody is going to do it. But when that type of things happen, and you don't wanna have to be scrambling,
Scott Tolinski
when that type of thing happens. Yeah. You don't want and you don't want the services that you use to flag you as being a malicious actor because your users are being malicious on your site too. Right? You could get kicked off of any service that you're using it. Or anything like that. So you gotta definitely stay on top of these things. And and some of them, like the CloudFloor DDoSing protection, is super easy to implement.
Scott Tolinski
Some of the other ones like rate limiting can be a little bit tougher because you kinda have to implement it yourself, or at least it can be depending on where you host. But these also might be reasons why, having a a service for some of your back end stuff might be helpful because then you I got a lot of those services have rate limiting built in. That way it's not something you're having to deal with yourself, but yeah. Definitely stuff you need to be on or at least be cognizant of, Especially if people are interacting with your application in any sort of meaningful way that is submitting things to your database or Submitting things to a third party processor, payment processor, that type of thing. I just looked it up. Cloudflare does have Rate limiting. I I have never used it before,
Wes Bos
but that would be and and then what they can do is if you okay. Okay. Somebody is trying too many time, you can throw a in front of them and be like, alright. You're trying to do something, or you can block them entirely.
Wes Bos
That's also a really good use for edge functions. When we talked about that is that people can Put rate limiting in an edge function instead of having that logic directly in your API code. You can just write your API code that like, it's wide open, and then throw a edge function or serverless function or or in my case, a middleware in front of it, and that will
Scott Tolinski
Add that logic on top. Word. Cool. Well, this is how you can prevent bad actors from doing bad acting on your site. Wes, you got anything else before we kick this one off? Thanks for tuning in. Catch you on Wednesday.
Scott Tolinski
Peace. Peace.
Scott Tolinski
Head on over to syntax s.f m for a full archive of all of our shows.
Scott Tolinski
And don't forget to subscribe in your podcast player or drop a review if you like this show.