0

I've got the same question like this one which was answered 9 years ago, and the answers given are quite useless (How to delay login attempts after too many tries (PHP))

How can you delay login attempts against bots without using sleep()? It seems obviously confusing to want to prevent DoS attacks from the client-side code...I do not understand, where I can set the 'delays', or the 'http request to login' to come from the actual server/apache or something.

Please be lenient, I left it for days because of burnout and came back to it now, still finding no understanding on it.
I understand and implement the throttling part - I know how to set up the DB and tables to capture each failed attempt, but not how to set apache/the server/whatever needs to be set up to 'pause' the script (the script which processes the login form) for that current user/IP address to login for the next x seconds?

Is it done using PHP? Or do you set up your apache config, or an htaccess rule, to do it? I really need help with this...

DJo
  • 2,133
  • 4
  • 30
  • 46
ArabianMaiden
  • 505
  • 7
  • 24
  • Using sleep() is a bad idea.. sleep() keeps the “process” active so it is consuming CPU and RAM.. PHP is the wrong place to handle this.. Best way is to set a trotte in the firewall or get special anti DoSS hardware.. – Raymond Nijland Jan 30 '19 at 11:50
  • @RaymondNijland yes that's why the answers in that question are unhelpful, I read the dozens of answers on SO talking about not using sleep(). Is this really a hardware issue? I didn't think that was the normal way to do it. If I can't afford the hardware will that make my website open to DoS attacks? (my web host server says the DoS protection comes default with the package, but others have mentioned that your host's DoS protection is at domain level only so it's not too efficient). What should I do? – ArabianMaiden Jan 30 '19 at 11:59
  • Also a idea might be implementing a challege response login. Which uses a different encoded/hashed signin string every time and obfuscute the JavaScript source code.. it will not most likely will not totaly stop the real hackers/crackers it will most likely slow them down the scriptkiddies most likely will stop trying – Raymond Nijland Jan 30 '19 at 13:49
  • A other idea might be implementing cliënt SSL certificate to login with.. Does the browser not have a valid cliënt SSL certificate drop the connection to signin – Raymond Nijland Jan 30 '19 at 13:54

1 Answers1

1

You shouldn't "sleep()" in the script itself, as the same system can still spam multiple requests and your threads will all be held up sleeping and then responding.

One suggestion is to store the IP address and/or session token of the visit, and then if that IP address/session token visits again too soon you just refuse/fail the request in PHP.

So on each request, check the database table with the login attempts and then if that identifier has already visited in the last second (or however long you want the timeout to be), just send back a 429 Too Many Requests response (or your relevant failure code). If the request is fresh, store it in the database and continue processing it.

judges119
  • 36
  • 1
  • 3
  • Thanks for suggesting an actual solution, but this seems like it still depends on the script and database which, i thought, bots can bypass? – ArabianMaiden Jan 30 '19 at 11:56
  • If you're just trying to stop people brute-forcing your login, all you need is the script changes in my answer. Also make sure your site is protected against SQLi attacks and any form of authentication bypass (using a trusted authentication library rather than rolling your own is a good idea). If you want to stop DoS attacks that's different, you'll probably want DoS protection through your hosting provider or someone like Cloudflare. – judges119 Jan 31 '19 at 12:39