Service authentication lockout

From: Jonas B. Nielsen <jonasbn_at_dk-hostmaster.dk>
Date: Fri, 22 Aug 2014 13:47:57 +0200

Due to a software bug in our EPP service, all registrar users, using EPP and other services in combination, experienced being locked out of our services yesterday.

Countermeasures has been deployed and we are investigating this issue further. Additional patching is to be expected.

The bug was located in the proxy handling of the EPP service against the authentication system. The bug presented all users to the authentication system, as if they were coming from a single IP address, instead of their own IP address. Due to this, it caused a lockout of all users, based on the incorrectly authenticated IP address.

This function, an automated authentication security lock, was added as a security measure. It was put in place to prohibit excessive authentication attempts, but incorrectly configured it could deny all users access to the involved services.

This mechanism could also propagate to other services, and in this case it was also observed outside of EPP, in our other services, such as the DAS and the online self-service site.

We are deeply sorry for any inconvenience and frustration that this lockout may have caused, and we will take measures to monitor this security mechanism to avoid future lockouts of this scale.

jonasbn, on behalf of DK Hostmaster A/S
--
Med venlig hilsen/Best Regards
Jonas B. Nielsen	
Software udvikler/Softwaredeveloper
Kalvebod Brygge 45, 3. sal
1560 København V
Tlf.      +45 33 64 60 60
Mobil:   +45 31 54 60 56
Fax.:     +45 33 64 60 66
Email:    jonasbn_at_dk-hostmaster.dk
Homepage: https://www.dk-hostmaster.dk
.dk Danmarks plads på Internettet
-------------------------------------------------------------------------
Dette er en e-mail fra DK Hostmaster A/S. Denne e-mail kan indeholde
fortrolig information, som kun er til brug for den tiltænkte modtager.
Hvis du ved en fejl har modtaget denne e-mail, bedes du venligst straks
give afsenderen besked om dette og slette e-mailen fra dit system uden
at offentliggøre, videresende eller tage kopi af meddelelsen.
This is an email from DK Hostmaster A/S. This message may contain
confidential information and is intended solely for the use of the
intended addressee. If you are not the intended addressee please notify
the sender immediately and delete this e-mail from your system. You are
not permitted to disclose, distribute or copy the information in this
e-mail.
--------------------------------------------------------------------------
Received on Fri Aug 22 2014 - 13:47:57 CEST

This archive was generated by hypermail 2.3.0 : Tue Mar 24 2020 - 08:55:00 CET