openid / connect / issues / #758 - Registration - DoS Attack caused by Dynamic Registration? — Bitbucket

Issue #758 resolved

Nat Sakimura created an issue 2013-02-07

It seems there are some concerns regarding the DoS attack caused by request_uri.

I wonder if DynReg would not cause the DoS attack as well.

If it does, we should add some comments in the security consideration section.

Comments (4)

Former user Account Deleted
It's definitely a concern. OAuth DynReg currently makes note of this potential attack and suggests rate-limiting and other common mitigations (section 3):

In order to support open registration and facilitate wider interoperability, the Client Registration Endpoint SHOULD allow initial registration requests with no authentication. These requests MAY be rate-limited or otherwise limited to prevent a denial-of- service attack on the Client Registration Endpoint.
- 2013-02-07T17:36:29+00:00
Vladimir Dzhuvinov
Yes, if an OP is providing open registration, then at least some form of request throttling should be applied.
- 2013-02-08T08:04:03+00:00
Michael Jones
- assigned issue to
  
  Michael Jones
We will add the same rate limitation text as is in the OAuth registration draft.
- 2013-02-14T15:50:37+00:00
Michael Jones
- changed status to resolved
Fixed ~~#758~~ - State the registration requests can be rate-limited to prevent a DoS attack.

→ <<cset 69cc9a7eb9eb>>
- 2013-02-19T01:52:03+00:00
Log in to comment

Assignee: Michael Jones

Type: bug

Priority: major

Status: resolved

Component: Registration

Milestone: Implementer's Draft

Version: –

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!