How to deal with an attack on registration-form?

Question

Question on registration process

I was thinking about email verification, and was playing with some app. What if

-) an attacker write a script that register millions account with different random email address(all existing, people's email)Then when the people register, it will prompt email already exists in db?

-) Or even simpler, what if a user register with someone else's email address? The registration Ajax triggers a creation of userid and info into the user table in the DB, but the verification is not done.

But then, when the "real" user with the email register, the email is already taken...?As there can not be 2 email address exist in the db at the same time(As the script won't be able to distinguish between the users....

Answer 1

First, you should try to detect if the same IP sends you multiple registration requests during a short period of time and blacklist it (at least for a while).

Second, even when the verification email is sent - you can do many things to avoid "duplicate registration" problem, here are a few examples:

1. Run a cleanup job once a day - deleting all the entries of users that didn't verify their account (via the email) for more than 24 hours
2. Do not create the user account until the user verified his/her registration (you can create an entry in another table: UNVERIFIED_USERS for instance). By doing this - you make sure to reduce latencies for existing users when such an attack occurs - since the USERS table will not be modified.
3. If a user tried to register and he/she already "has an account" you should allow the user to reset the password by sending another verification email with a link to do it.
4. You can use solutions like captcha in the registration form - to prevent such attacks. Today there are smart bots that can by-pass captcha, so you can also look for captcha-alternatives