Security and Rate Limiting

Security and Rate Limiting

by

Authentication and Authorization

Contents hide
1) Authentication and Authorization
1.1) Authentication
1.2) Authorization
1.3) Types of Authentication
1.4) Types of Authorization
2) Encryption, hashing, SSL/TLS
2.1) Encryption:
2.2) Hashing:
2.3) SSL/TLS
2.4) Best Practices for Encryption, Hashing, and SSL/TLS
3) DDoS protection and throttling
3.1) What is DDoS?
3.2) What is Throttling?

Authentication

The process of verifying the identity of a user or system.

  • Username and password authentication
  • Multi-factor authentication (MFA)
  • Biometric authentication (fingerprint, facial recognition)
  • OAuth and SSO (Single Sign-On) systems

Authorization

The process of granting or denying access to resources based on verified identities.

  • Role-based access control (RBAC)
  • Attribute-based access control (ABAC)
  • Access control lists (ACLs)
  • OAuth scopes and permissions

Types of Authentication

Password-based authentication:

The user provides a password for login verification.

  • Common, but less secure if not paired with strong policies like MFA
  • Consider using hashing and salting for password storage

Multi-Factor Authentication (MFA):

Adds an additional layer of security by requiring more than just a password.

  • Common factors include something the user knows (password), something the user has (OTP from a mobile device), or something the user is (biometric data)
  • Greatly increases security by reducing the chance of unauthorized access

Single Sign-On (SSO):

A user logs in once and gains access to multiple services without needing to authenticate again.

  • Improves user experience by reducing the number of logins
  • Commonly used for enterprise systems and web applications

Types of Authorization

Role-Based Access Control (RBAC):

Permissions are assigned based on the user’s role in the system.

  • Roles define the level of access (e.g., Admin, User, Guest)
  • Easy to manage when there are a small number of roles

Attribute-Based Access Control (ABAC):

Uses attributes (such as user characteristics, resource types, or environment conditions) to make access control decisions.

  • More granular and flexible than RBAC, as it supports complex conditions
  • Commonly used in dynamic environments

Access Control Lists (ACLs):

Defines permissions for each individual user or group on a specific resource.

  • Can be complex to manage in large systems
  • Useful for fine-grained access control of specific files, data, or services

Best Practices for Authentication and Authorization

  • Use HTTPS to encrypt data during authentication
  • Store passwords securely using hashing and salting algorithms
  • Implement token-based authentication (JWT) for API security
  • Regularly review and audit user access privileges
  • Limit the number of failed login attempts to protect against brute force attacks

Encryption, hashing, SSL/TLS

Encryption:

The process of converting data into a secure format to prevent unauthorized access.

  • Symmetric encryption: Both the encryption and decryption use the same key (e.g., AES)
  • Asymmetric encryption: Uses a public key for encryption and a private key for decryption (e.g., RSA, ECC)
  • Commonly used in securing data in transit, such as HTTPS or encrypting sensitive data in databases
  • Essential for maintaining confidentiality of data, especially in communication over untrusted networks like the internet

Hashing:

A one-way process of transforming data into a fixed-size value (hash) that represents the original data.

  • Common hashing algorithms: SHA-256, MD5, and bcrypt
  • Used for storing passwords securely (e.g., hashed and salted passwords)
  • Unlike encryption, hashes cannot be reversed to retrieve the original data
  • Used for verifying the integrity of data (e.g., file integrity checks, digital signatures)

SSL/TLS

SSL (Secure Sockets Layer):

The predecessor to TLS (Transport Layer Security), used to encrypt data between a client and a server.

  • SSL has been deprecated due to known vulnerabilities and is no longer considered secure
  • SSL and TLS serve the same purpose but TLS is more secure and efficient

TLS (Transport Layer Security):

A protocol that ensures secure communication between a client and server by encrypting data.

  • TLS 1.2 and 1.3 are the most widely used versions today
  • TLS provides confidentiality, integrity, and authentication by using certificates and public-private key pairs
  • TLS protects data during transmission (e.g., HTTPS, email communication, VPN)

SSL/TLS Handshake:

The process by which the client and server establish a secure connection.

  • Includes exchanging certificates, verifying authenticity, and generating session keys
  • Ensures both parties are who they claim to be and sets up encryption for data transmission

SSL/TLS Certificates:

Digital certificates used to authenticate the identity of the server and enable secure encrypted communication.

  • Issued by Certificate Authorities (CAs) after verifying the legitimacy of the requesting party
  • Ensure that users can trust the website or service they are communicating with
  • Contain the server’s public key, the server’s identity, and expiration date

Best Practices for Encryption, Hashing, and SSL/TLS

  • Always use the latest version of TLS (preferably TLS 1.2 or 1.3)
  • Enable forward secrecy in your TLS configurations to protect past communications if the private key is compromised
  • Use strong and unique encryption keys, and rotate them regularly
  • Never store passwords as plain text—use salted and hashed passwords
  • Always validate SSL/TLS certificates to ensure the authenticity of the server

DDoS protection and throttling

What is DDoS?

  • Distributed Denial of Service (DDoS) attacks overwhelm a server or network by flooding it with massive traffic from multiple sources.
  • The goal is to exhaust resources and make the system unavailable to legitimate users.

Types of DDoS Attacks

  • Volumetric Attacks: Overload the bandwidth using massive data floods (e.g., UDP floods, amplification attacks).
  • Protocol Attacks: Exploit weaknesses in network protocols (e.g., SYN floods, Ping of Death).
  • Application Layer Attacks: Target specific applications with slow or complex requests (e.g., HTTP floods).

DDoS Protection Techniques

  • Rate Limiting: Controls the number of requests a user or IP can make in a given time period.
  • IP Blacklisting: Blocks traffic from known malicious IP addresses.
  • Geo-blocking: Restricts access based on geographic regions.
  • Web Application Firewalls (WAF): Inspects and filters incoming HTTP requests to block malicious patterns.
  • Traffic Scrubbing Services: Redirects traffic through a filtering service that removes malicious traffic before it reaches the server (e.g., Cloudflare, Akamai, AWS Shield).
  • Content Delivery Networks (CDNs): Distribute content across multiple servers to absorb and mitigate traffic spikes.
  • Anycast DNS Routing: Distributes traffic to multiple data centers based on proximity and server load.

What is Throttling?

  • Throttling is the process of controlling the rate at which users can access resources or perform actions.
  • Prevents abuse and ensures fair usage by setting limits on API calls or resource access.

Throttling Strategies

  • Fixed Window: Allows a certain number of requests per fixed time interval (e.g., 100 requests per minute).
  • Sliding Window: More accurate control over time-based access using rolling time windows.
  • Token Bucket: Uses tokens to represent access rights; users must have tokens to make requests.
  • Leaky Bucket: Queues requests and processes them at a constant rate, preventing bursts of traffic.

Benefits of DDoS Protection and Throttling

  • Maintains service availability during traffic spikes or attacks.
  • Improves performance by preventing resource exhaustion.
  • Enhances security by blocking malicious or excessive requests.
  • Ensures fair usage across users and prevents abuse of services.

Leave a Comment