REST API  14
REST API for Luna Network HSMs
Black List

The webserver includes a black list, which stops malicious users from making requests to the REST API. The system analyzes a user's request and detects malicious patterns. Once blacklisted, a user's IP will be blocked at the TCP socket level and will not be allowed a connection. All black list activity is logged in the lunalogs log file.

The following table lists blacklistable offences and the number of infractions caused by each.

Offence Number of infractions
Bad login credential 2
Request timeout 5
Certificate renegotiation 1
Bad request payload 1

Advanced Black List Usage

The black list can be configured by specifying a severity percentage or by modifying the attributes directly.

Severity

The simplest way to configure the black list is to assign a severity percentage between 0 and 100, where 0 turns the black list off and 100 is the highest possible severity. The default value is 50; this value is recommended as being generally lenient while effective at stopping malicious users.

Attributes

The black list is controlled by three attributes: "maxInfractionCount", "timeoutStart" and "timeoutMultiplier".

  • "maxInfractionCount": the number of infractions committed before a user is blacklisted. It is represented as an internal counter per user. When an infraction is committed, the counter is incremented. The user is blacklisted when the maximum number is reached.
  • "timeoutStart": the time (in seconds) before the infraction count is updated. Each user has an update timer, which begins at this value and increments with each infraction (see timeout multiplier). When the time expires, the infraction counter for the current user is decreased. When the infraction counter returns to zero, the timer is reset to this value.
  • "timeoutMultiplier": the amount the timeout multiplies with each infraction.

Example: The webserver's black list is configured as follows:

  • maxInfractionCount = 5
  • timeoutStart = 1
  • timeoutMultiplier = 2

A user attempts to log in, but the credentials are incorrect. Login with bad credentials counts as 2 infractions, so the infraction count is reduced by 2, bringing it down from 5 to 3.

The timeout counter is incremented by the multiplier, making the timeout 4 seconds (timeout x multiplier ^ infractions = 1 x 2 ^ 2). The user must now wait 4 seconds for their infraction count to increase to 4 from 3. The timeout remains at 4 seconds until the next infraction is committed.

If the user waits an additional 4 seconds, the infraction count will be back to its default, and the timeout is reset to its "timeoutStart" value.

A more malicious user may send requests at a much more aggressive rate. If the user attempts to make 10 bad requests, 5 come through, and the user is immediately blacklisted.

The timeout counter is now set to 32 seconds (timeout x multiplier ^ infractions = 1 x 2 ^ 5). The user waits 32 seconds and the infraction count is set to 1.

The user then performs another bad request, and is blacklisted for 64 seconds (timeout x multiplier ^ infractions = 32 x 2 ^ 1).

REST API for Luna Network HSMs VERSION" Reference Guide
007-013322-007 Rev. A Copyright 2023  Thales. All rights reserved.