Firebase - Anti Brute Force / Anti Automation
1,428 views
Skip to first unread message
Ouah wZXQrHAD
Aug 9, 2018, 12:47:57 AM8/9/18
to Firebase Google Group
How does Firebase:
- Detects and prevents against Brute Force attacks?
- Detects and prevents automation attacks whereby an attacker would use automated tools to submit thousands of times forms that send emails, write to Firestore, or spam features like chats and forums?
As developers, what controls can we put in place to reduce the risks of such attacks, and how are those controls meant to be implemented?
Thank you in advance.
Sincerely, -A
Arifullah Jan
Aug 9, 2018, 10:51:10 AM8/9/18
to Firebase Google Group
Ohh... Your post helped me think about my case.
I have to send email whenever a user is prescribed.
so I will check if the the time difference between his last prescription in the security rules. It allows me to use 'now' function.
I am not an expert. There might be a better way!
I have to send email whenever a user is prescribed.
so I will check if the the time difference between his last prescription in the security rules. It allows me to use 'now' function.
I am not an expert. There might be a better way!
Kiana McNellis
Aug 9, 2018, 6:39:15 PM8/9/18
to fireba...@googlegroups.com
1. Detects and prevents against Brute Force attacks?
Firebase lives behind the Google Frontends. It's protected against brute force/ddos attacks the same way that Google.com protects itself. In addition, since Authentication is the gateway to many of our backend services & security rules, many of our quotas are protected by per-ip limits to give an extra layer of protection against a localized attack.
2. Detects and prevents automation attacks whereby an attacker would use automated tools to submit thousands of times forms that send emails, write to Firestore, or spam features like chats and forums?
Emails have an absolute limit per day that cut off large attacks, as well as some behind-the-scenes spam detection to spot malicious users.
Firestore, on the other hand (and any chat or forum features that you build on top of it), is protected by you. You should ensure that your rules are setup to only allow authenticated and verified users to write to your database, and ensure the writing user's account is tied to any public messaging boards. Then, you would setup monitoring systems just like any other application should have to ensure that a single user isn't abusing the system. If they are, you can revoke their auth or create a blacklist to kick them off your app. You could also set limits on the number or size of entries in a specific part of your database.
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/7840297c-d8b8-4a8c-9978-a112b8b8713f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages