RPC does not limit failed connection attempts #1145

enmaku commented at 5:47 PM on April 24, 2012: contributor

As discussed in this question on the Bitcoin StackExchange we discussed the possibility of an RPC-based attack through flash, java etc. Regardless of that specific attack vector's feasibility, RPC is still a potential attack vector if the network is compromised. It was determined in the course of this testing that Bitcoin does not limit the number of failed RPC login attempts, does not institute mandatory wait times after several failed login attempts etc. It will essentially allow as many attempts as you can throw at it, thus opening the door to trivially easy brute force.

I don't claim to have the perfect answer to this one, but the issue of brute force attacks on RPC needs to be addressed.

gavinandresen commented at 6:16 PM on April 24, 2012: contributor

If the rpcpassword is less than 20 characters long, then every incorrect-rpc-password-attempt results in a 250ms delay:

Code from bitcoinrpc.cpp:

    if (!HTTPAuthorized(mapHeaders))
    {
        printf("ThreadRPCServer incorrect password attempt from %s\n",peer.address().to_string().c_str());
        /* Deter brute-forcing short passwords.                                                                                         
           If this results in a DOS the user really                                                                                     
           shouldn't have their RPC port exposed.*/
        if (mapArgs["-rpcpassword"].size() < 20)
            Sleep(250);

        stream << HTTPReply(401, "") << std::flush;
        continue;
    }

I assume you were testing with a greater-than-20-character RPC password, which is why you didn't see the delay kick in.

gavinandresen closed this on Apr 24, 2012

suprnurd referenced this in commit 79af6fddea on Dec 5, 2017

Bushstar referenced this in commit 132b51d537 on Oct 21, 2020

MarcoFalke locked this on Sep 8, 2021