I'd like to be able to throttle login attempts based on failed attempts but I got some questions.
Should I use MySQL? (read that it could strain the DB)
Should I throttle per user and system-wide or just system-wide? (so to stop normal people from guessing passwords)
How should I calculate my threshold? (so it automatically adapts to changes/growth)
How should I retrieve this threshold? Query/calculate on every fail or store on cache?
What should I use to throttle? (read a response that sleep() could end up straining the server)
Does anybody have some sample code?
I'm quite new at this so I appreciate the help!
Thanks
I implemented a poor-man's throttling mechanism in phunction using APC alone, this is how I use it:
// allow 60 requests every 30 seconds
// each request counts as 1 (expensive operations can use higher values)
// keep track of IPs by REMOTE_ADDR (ignore others)
$throttle = ph()->Throttle($ttl = 30, $exit = 60, $count = 1, $proxy = false);
if ($throttle === true)
{
// IP exceded 30 requests in the last 60 seconds, die() here
}
else
{
// $throttle is a float
// number of requests in the last 30 seconds / 30 seconds
/*
1 req / 30 = 0,033 sec
5 req / 30 = 0,166 sec
10 req / 30 = 0,333 sec
15 req / 30 = 0,5 sec
20 req / 30 = 0,666 sec
25 req / 30 = 0,833 sec
30 req / 30 = 1 sec
*/
usleep(intval(floatval($throttle) * 1000000));
}
I use this on my Front-Controller and pass the value to my routing method, but that's another story.
The bottom line is that if you use APC you're able to keep things very fast in memory and with little memory consumption because APC follows a FILO methodology. If you need way higher timeouts you may consider using something that's not memory based though.
BTW: MySQL supports tables with the MEMORY engine.
The problem with sleep()
:
A typical Apache web server with PHP installed as a module will eat about 10 MB of RAM per instance, to avoid exceeding your available ram there are some Apache settings that you can configure to limit the maximum number of instances that Apache is able to start.
The problem is when you sleep()
, that instance is still active and with enough requests could end up eating all the available slots to start new servers, thus rendering your web site inaccessible until some pending requests are completed.
There is no way to overcome this from PHP AFAIK, so in the end it's up to you.
The principle is the same for system wide throttling:
function systemWide($ttl = 86400, $exit = 360)
{
if (extension_loaded('apc') === true)
{
$key = array(__FUNCTION__);
if (apc_exists(__FUNCTION__) !== true)
{
apc_store(__FUNCTION__, 0, $ttl);
}
$result = apc_inc(__FUNCTION__, 1);
if ($result < $exit)
{
return ($result / $ttl);
}
return true;
}
return false;
}
Log failed login attempts in a table like this:
FailedLogins
id
timestamp
ip
Every time a user tries to log in you check to see if the user's IP address has X number of failed login attempts in the last Y seconds.
If the user has failed X times within Y seconds you present an error message or a CAPTCHA.
A MySQL database is able to handler tones of requests / sec, so you don't have to worry about bottle necks if you don't have thousands of users.
You could also use sleep()
NOTE: PHP handles more users than ASP.NET - So again. If you don't have thousands of users, you could use sleep methods, without bottle necks.
The way I normally do it, is by storing login attempts (IP, userID and timestamp).
Store it in a table, and reset the table when you feel like it (at a certain size or time of day).
If a userID + IP has more than "amount of login attempts" in a "certain amount of time", redirect the user to a page that tells the user that he/she has used to many attempts and won't be able to login the next 15min (or whatever you feel like).
A bit "Windows" like I guess, but it works like a charm :)