How to protect an OpenID consumer against abuse?

Question

I am considering OpenID as a login method for my PHP application, but there is one thing that prevents me from continuing: how can I protect an OpenID consumer against abuse?

An example of abusing OpenID by using a consumer as proxy

Abuse includes flooding other servers with requests, using my application as a proxy, passing a large download as URL or unnecessarily slowing down the server by doing a lot requests.

I guess I should implement rate-limiting on doing requests, but how am I supposed to do that? Possible attackers could use other proxies or TOR for bypassing IP checks. Limiting the providers which are allowed would be against the principles of OpenID right?

I do not expect my users to be evil, but I'd like to know which things I need to take into account before adding another possible attack vector.

Should it matter, I'm about to use lightopenid as back-end for the PHP application.

Answer 1

You need to separate the attacks into two pools. 1) Attacks against your own site, and 2) Attacks against someone else using you as a proxy. Neither of these issues are new or unique to OpenID. For example the classic "tell a friend" email forms could be automated to send out email spam from the proxy party's IP address and email, shielding the spamming party from consequences and providing them with a (potentially) clean IP/email that isn't already flagged by spam protection. This was primarily addressed with the "CAPTCHA" to prevent automated use of the form.

For attacks against your own site, this has all been covered countless times before. Try here: protect your self against DOS attacks

For attacks against someone else's site, many of the same principals apply as mentioned in that other question. Throttle authentication requests, reject unreasonable or malformed requests, verify the Content-Length header against actually content on POST back and of course you can always add the classic "CAPTCHA" to help prevent automated attacks using your OpenID consumer.

Also contrary other suggestions here, I wouldn't throttle based on the OpenID TLD, but rather the requesting party's IP address. Yes people can rent proxy IPs, but you can't fairly throttle based on the TLD as the userbase for each OpenID provider will vary widely. You can also purchase a database of known proxy IPs from a company like MaxMind. If the user is coming from a proxy IP, increase the aggressiveness of your throttling.