I am trying to rework a small online portal that has a few inherit security flaws. Most notably due to the network architecture and load balancers the application isn’t able to access the requesting IP address. Normally I would insist there be restrictions on the numbers of requests from each unique address but given the insane ranges some have access to this might not be the end-all best solution.
I could limit the number of open connections per address at the balancer but it still leaves me open to brute force.
Obviously I am hesitant to lock accounts out after n attempts due to the inconvenience this would cause any legitimate user, but it’s seeming like one of very few ways to implement this.
Briefly the thought of assigning a unique id to each user and bouncing them to a HTTP connection briefly to catch the X-Forwarded-For header then skip them back over to HTTPS but it seems as though it may be a poor choice and MITM could intercept this easily to hijack the session. How on earth does an IT guy deal with this limitation?
Additional: it seems the load balancers in use will allow you to throttle back the number of connections per second. This will help but could still result in dubious amounts of invalid requests coming in over a period of time. However seems time is now a factor we can use.