TL;DR
Strong password hashing is good for security, but can be abused in a DDoS attack if attackers try many passwords against your system. This guide shows how to protect yourself by combining rate limiting with weaker (but still secure enough) hashing algorithms and other mitigation techniques.
Understanding the Problem
Modern password hashing functions like Argon2, bcrypt, and scrypt are deliberately slow. This makes brute-force attacks harder. However, an attacker can use this slowness to their advantage in a Denial of Service (DDoS) attack. By sending many password attempts, they overload your server with hash calculations.
Solution: Combining Rate Limiting and Algorithm Choice
- Choose a Reasonable Hashing Algorithm:
- Don’t necessarily use the *slowest* algorithm available. PBKDF2 with a reasonable iteration count (e.g., 10,000 – 50,000) is often sufficient for many applications and less computationally expensive than Argon2 or scrypt.
- SHA-256 based hashing *with salting* can be used if performance is critical, but understand the increased risk compared to PBKDF2. Never use unsalted hashes!
Example (Python with
bcrypt):import bcrypt hash = bcrypt.hashpw(b'your_password', bcrypt.gensalt()) print(hash) - Implement Rate Limiting:
- This is the most important step! Limit the number of password attempts from a single IP address within a given timeframe (e.g., 5 attempts per minute).
- Rate limiting should be applied *before* any hashing occurs to prevent server overload.
- Use a tool like fail2ban, or implement rate limiting in your application code using libraries or middleware.
Example (using
iptablesfor basic IP-based rate limiting – Linux):sudo iptables -A INPUT -m recent --set --name PASSWORD_ATTEMPTS --rsource $SRC_IP --mask 255.255.255.255 sudo iptables -A INPUT -m recent --update seconds 60 --hitcount 5 --name PASSWORD_ATTEMPTS --rsource $SRC_IP -j DROPReplace
$SRC_IPwith the source IP address. - Use Captchas or Two-Factor Authentication (2FA):
- CAPTCHAs can help distinguish between human users and bots.
- 2FA adds an extra layer of security, making it harder for attackers to gain access even if they guess the password.
- Monitor Your Server:
- Keep an eye on CPU usage, memory consumption, and network traffic.
- Set up alerts to notify you of any unusual activity.
- Consider a Web Application Firewall (WAF):
- A WAF can help block malicious requests before they reach your server.
- Many WAFs include built-in DDoS protection features.
- Salt Your Hashes Properly:
- Always use a unique, randomly generated salt for each password. This prevents rainbow table attacks.
- Store the salt alongside the hash in your database.
Important Considerations
This solution is about *mitigation*, not complete prevention. A determined attacker with enough resources can still potentially overwhelm your server. However, these steps will significantly reduce your risk and make it much harder for attackers to succeed.