Lower number of allowed POST requests to /users (sign up) (!137072) · Merge requests · GitLab.org / GitLab

Eugie Limpin requested to merge el-decrease-user-sign-up-rate-limit into master Nov 16, 2023

What does this MR do and why?

Lower allowed POST requests to /users (sign up) per IP from 20/min to 20/day.

Why?

The current rate limit for POST requests to /users endpoint is currently too high (28,800 requests per day) and is actively being abused by attackers (see https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17118 and https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17141).

At the peak of the recent incidents (11-14 - 11-21) the highest number of requests to the endpoint from a single IP was < 500.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 21, 2023 by Eugie Limpin

Lower number of allowed POST requests to /users (sign up)

What does this MR do and why?

Why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports