AWS Cognito用户池如何防御暴力破解攻击 [英] How AWS Cognito User Pool defends against bruteforce attacks
问题描述
我将使用AWS Cognito用户池产品作为应用程序的用户目录,并有几个问题:
- Amazon节流请求是否Cognito用户池,如果可以,则限制通话的速率限制是什么?
- Cognito如何防御登录/密码的暴力攻击?
几个小时的搜索后,我在源代码中发现了这两个例外:
TooManyFailedAttemptsException当
用户对给定操作进行过多尝试失败(例如,登录
)时,将引发此异常。
HTTP状态码:400
TooManyRequestsException当用户让
对给定操作进行过多请求时,抛出此异常。 p>
HTTP状态码:400
此外,我尝试使用错误的登录名测试限制的凭据,我得到 N otAuthorizedException:尝试5次后超出密码尝试次数。
在类似情况下,我尝试强行忘记密码,但10次失败尝试我得到 LimitExceededException:尝试次数超出限制,请稍后再尝试。
我认为这是他们的工作方式
I am going to use AWS Cognito User Pool product as user directory for application and have several questions:
- Is Amazon throttle request to Cognito User Pool and if yes what is the rate limit of calls to get throttled?
- How Cognito defends against bruteforce attack on login/password?
After couple of hours search I found this two exceptions in source code:
TooManyFailedAttemptsException This exception gets thrown when the user has made too many failed attempts for a given action (e.g., sign in).
HTTP Status Code: 400
TooManyRequestsException This exception gets thrown when the user has made too many requests for a given operation.
HTTP Status Code: 400
Also, I tried to log in with wrong credentials to test limits, I get NotAuthorizedException: Password attempts exceeded exception after 5. attempt.
In a similar scenario, I tried to brute force to forgot password but after 10 failed attempt I got LimitExceededException: Attempt limit exceeded, please try after some time.
I think that is how they do it.
这篇关于AWS Cognito用户池如何防御暴力破解攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
