Simple and lightweight brute force protection for .NET 8.
This library will protect defined actions in your controllers by making them inefficient to be brute-forced.
It will append request times in milliseconds if a local cache entry on the server is found for the same request,
request name, and method, and the hit count reaches a defined limit (referred to here as "green requests") within a specified amount of time.
Simple and lightweight brute-force protection for .NET 8.
This library will protect defined actions in your controllers by making them inefficient to brute-force.
It will append request times in milliseconds if a local cache entry on the server is found for the same request & request name & method, and the hit count reaches a defined limit (referred to here as "green requests") within a specific time frame.
Requirements
NoBrute requires at least one IMemoryCache or IDistributedCache to be registered in your application. (For obvious reasons, storing the information in the session won't work because bots will never send cookies along with their requests.)
External Libraries
This library uses the following library to achieve its functionality:
// Startup.cs
public IServiceProvider ConfigureServices(IServiceCollection services) {
// Use Memory Cache:
services.AddMemoryCache();
// Or a distributed cache (NoBrute will prefer this if both are registered)
services.AddStackExchangeRedisCache(x =>
{
x.Configuration = "... ";
}); // In this case, we used Redis as an example
services.AddNoBrute();
}
Configuration
No configuration is required to use NoBrute. Here is a JSON example for your appsettings.json to configure NoBrute and the default values used if the entry does not exist in your configuration:
If this count of the same requests is reached, NoBrute will start appending request time by setting the thread to sleep for n ms
10
Integer
IncreaseRequestTime
For each request that exceeds the GreenRetries entry number, NoBrute will append n ms to the request
20
Integer
TimeUntilReset
This, in combination with TimeUntilResetUnit, declares the time when the saved request count for a user will be cleared so the user gets normal request times again
2
Integer
TimeUntilResetUnit
This is the unit of time used for the value of TimeUntilReset. Possible values: Years = 'y', Days = 'd', Months = 'M', Hours = 'H', Minutes = 'i', Seconds = 's', Milliseconds = 'n'
H (Hours)
String
StatusCodesForAutoProcess
This is for auto-processing requests. (More details in the "Usage" section below.) You can declare here which status codes of an IHttpAction will remove saved requests automatically
[200]
Integer[]
Usage
The Action Filter Attribute (Web API or MVC)
To protect an action, you can use the NoBruteAttribute.
This is the simple way.
Arguments:
Name
Description
string requestName
Assigns a fixed name to the incoming request for better identification. If null, empty, or not given, NoBrute will use the RequestPath as the name.
bool autoProcess
Indicates that the requests should be released/cleared when the configured (see above) HTTP status code is returned by the action. (Default: false)
Examples
Generated Name
[NoBrute]
public IHttpActionResult Login() {
...
}
Generated Name with Auto Release
[NoBrute(true)]
public IHttpActionResult Login() {
...
}
Fixed Name
[NoBrute("MyFixedName")]
public IHttpActionResult Login() {
...
}
Fixed Name with Auto Release
[NoBrute("MyFixedName", true)]
public IHttpActionResult Login() {
...
}
The Service
If you have a more complex design to decide when a request should be checked or not, you can also use the service.
public IHttpActionResult MyAction() {
if (1 > 0) // or some if-else logic
{
NoBruteRequestCheck check = this.nobrute.CheckRequest("MyActionRequestName");
// Some more logic
}
}
The CheckRequest method will return an object of type NoBruteRequestCheck.
It will contain the flag IsGreenRequest and how much time to append to the request.
Additionally, some user information like IP will be returned.
However, you have to call Thread.Sleep yourself here. The service will only release and check requests for you but never sleep the requests like the action attribute.
See more at /src/Domain/INoBrute.cs and /src/Models/NoBruteRequestCheck.cs in the GitHub repository.
Contribute / Donations
If you have any ideas to improve my projects, feel free to send a pull request.
If you like my work and want to support me (or want to buy me a coffee/beer), PayPal donations are more than appreciated.
