App Suite Security

Denial of Service (DoS)

BSI IT-Grundschutz 2023 sections covered by this page
  • CON.10
  • APP.3.1

DoS attacks are attacks that attempt to cause a system to fail or become unusable, hence denying service to legitimate users. DoS attacks can take various forms, ranging from brute-force attacks which send excessive traffic to the service, to more sophisticated attacks that craft requests designed to cause the service to slowdown, for example by exploiting a bug or unintended functionality.

OX App Suite implements protection against DoS attacks on a functional level, for example restricting resource consumption, processing times or requests to other resources. The implementation of standard protocols makes sure that amplification attacks are not possible in practice. It also implements rate-limiting, which has a slightly different purpose and which is worth explaining here.

Rate-limiting

The rate-limiting feature in OX App Suite are not designed or promoted as sufficient protection against DoS attacks, particularly when considering that there is functionality which can be used to create very high load with relatively low request count. The current rate-limiting feature does not consider any kind of taxonomy, but just counts requests.

Rate-limiting is primarily designed as a failsafe to mitigate faulty conditions of client-side applications that would otherwise put excessive stress on the system. Blocking individual clients on a network level is not in scope of OX App Suite and operators usually have no way of contacting a user to identifying and shut down a "broken" client in time.

By default, rate-limits are associated to a client by using its remote IP address and user-agent. There are options to include a specific header, cookie or session as well. The default rate limit allows 1500 HTTP requests within a moving time window of 5 minutes. This value is determined by experience of "known good" usage of OX App Suite and other HTTP clients (e.g. CardDAV, CalDAV, WebDAV).

The default of 300 requests per 5 minutes for rate-limiting login requests is quite high to accommodate non-interactive clients. More sophisticated protection against authentication abuse can be provided by the OX Abuse Shield component or by using a dedicated IAM system. Typical large-scale DDoS attacks are usually best mitigated on the network level.

Object limits

The amount or combined size of objects that can be created for each context is limited to a reasonable value that fits most use-cases. This limitation makes sure that subsystems like databases or file storage do not get abused on purpose or by accident. E-Mail mailboxes should be limited using quota on the E-Mail server side.

For more details, please take a look at configuration options tagged with "Limit" https://documentation.open-xchange.com/components/middleware/config/8/#mode=tags&tag=Limitopen in new window. Quota for Drive is defined on a context provisioning level.

MTA monitoring and restrictions

It is recommended that operators monitor and limit usage of ingress and egress MTAs to stop illegitimate use by compromised accounts. OX App Suite does not limit outgoing E-Mail specifically and will only apply generic rate-limits. Egress E-Mail should be checked for malicious content by the operator.

OX Abuse Shield

OX App Suite integrates with OX Abuse Shield, which is a sophisticated solution to detect and stop misuse of accounts across multiple components and applications. It is recommended to evaluate this solution as an additional measure against account takeover and DoS attempts. See https://www.open-xchange.com/products/ox-abuse-shield/open in new window.