D
D
Dmitry2014-04-13 17:54:37
Computer networks
Dmitry, 2014-04-13 17:54:37

How to protect sms mailing from bruteforce?

Greetings.
The site has a registration page with a mob input field. numbers. It is important for the project that the specified number be real and serviceable, therefore, it was decided to add verification using a code sent by SMS.
Problem:
SMS are paid, and I really don't want someone unscrupulous to take advantage of this to draw down the project budget. The main difficulty is how to protect yourself from a targeted attack by IT-savvy people?
It is clear that strong protection under these conditions is almost impossible to implement, since the trigger is not a service, but a request from the client. In this case, you can only get by with restrictions built on elaborate schemes. But maybe there is some other option. Still, such a check is popular on a number of services.
Options were considered:
1. Limiting the number of messages per number is not effective enough: requests can be sent to different numbers, even if we take into account that the procedure for filling in reg. forms are long enough. This process can be automated.
2. Limiting the number of messages per ip address is also not effective: not only can dozens of clients sit on the same ip subnet (I could be wrong) , but no one has canceled anonymizers either.
3. Limit the number of messages per day/hour - ordinary users may suffer and the service will not receive customers.
In a word, the question boils down to this:
Is there any scheme (albeit complex) that allows isolating unwanted requests from the general flow with a probability of > 90% and warming up for several dozen requests?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
S
Sergey, 2014-04-13
@seriyPS

Limit on the number of requests from one IP + captcha.
The first will protect against simple cases, the second against cases where an attacker uses a proxy.
You can make it more difficult - activate the captcha if the flow of SMS requests throughout the system has increased. For example, all the time the average flow of requests is 10 per minute, and then it jumped to 100 - we turn on the captcha for everyone.
Well, captcha is not 100% secure - on antigate.com they are solved for $1 per 1000 captchas. But the very need to work with anti-gate significantly complicates the bot.
PS: I have not tried to build protection myself, but I often write bots.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question