Stop login flood

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
stakes
Forum Commoner
Posts: 48
Joined: Tue Jun 12, 2007 12:05 pm

Stop login flood

Post by stakes »

Hello developers.

I have a login form that sends the request through ajax to a "process login" script. Now if the user is successfully authenticated he/she
will be redirected to "protected pages". If the user fails to login, for some reason, the server returns different message depending on whatever
failed to authenticate the user. In this case, the page is not reloaded.

Right now someone could hit the submit button X times without being stopped, sending X number of requests to the server. Now i somehow want to stop this, allowing, say max 5 attempts a minute. I initially approached this problem by setting a cookie for the user, but cookies are easily disabled\manipulated. So i used sessions, which in theory stops the user until he\she restarts his browser. I used mySQL to record the user IP and session id but learned quite soon that this could quite easily be spoofed as well and now a malicious user could be flooding my mySQL server with requests\queries.

So what is really the best approach? I'm not running a top secret goverment project here I'm just more looking to stop the average script kiddies from making use\abusing my website, so no superflous suggestions please ;) Hope this makes sense.

Thanks in advance

/Daniel
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Use Javascript to lock out the controls until a response is heard or some period of time has lapsed.

It doesn't prevent the direct requesting via other means, but it likely rules out a lot of spamming you'll receive due to user ignorance.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Stop login flood

Post by VladSun »

stakes wrote:I used mySQL to record the user IP and session id but learned quite soon that this could quite easily be spoofed as well and now a malicious user could be flooding my mySQL server with requests\queries.
What is it so easy to spoof? IP or session ID?
There are 10 types of people in this world, those who understand binary and those who don't
programmingjeff
Forum Commoner
Posts: 26
Joined: Fri Jan 05, 2007 10:56 am

Post by programmingjeff »

Session ID is the easiest to spoof.

An IP address is pretty easy because someone can use a proxy. It is a bad idea to limit the number of requests based on an IP address alone because of NATs.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

programmingjeff wrote:Session ID is the easiest to spoof.
Can't agree - almost every PHP app is based on session-ID security model. You will need an XSS or sniffer to steal a session id.
programmingjeff wrote:An IP address is pretty easy because someone can use a proxy.
It is true but there is no way to prevent it.
programmingjeff wrote:It is a bad idea to limit the number of requests based on an IP address alone because of NATs.
I agree.

Back to the problem - you may use something like "captcha" software.
There are 10 types of people in this world, those who understand binary and those who don't
programmingjeff
Forum Commoner
Posts: 26
Joined: Fri Jan 05, 2007 10:56 am

Post by programmingjeff »

VladSun wrote:
programmingjeff wrote:Session ID is the easiest to spoof.
Can't agree - almost every PHP app is based on session-ID security model. You will need an XSS or sniffer to steal a session id.
Sorry, I should have been more specific. You cannot rely on trying to only allow 5 logins per session-ID because it is easy for the user to clear cookies and get a new session-ID.


VladSun wrote:
Back to the problem - you may use something like "captcha" software.
Aye. Although I hate them as a user, they may be your best bet.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

You might find this helpful:

http://phpsecurity.org/code/ch07-2

This example demonstrates throttling an authentication form, and it's based on data that you control, not the user. Remember to keep your error messages generic, so that an attacker can't reliably determine whether the account exists.

To get around the throttling, an attacker can choose a distinct username for each request, but that dramatically decreases the chance of success. Most enumeration attacks focus on a single account.

An additional safeguard is to use sessions to tally failures for a specific client, and then you just need to make sure requests that don't include a valid session identifier always fail. This lets you throttle a specific client in addition to a specific account, making enumeration attacks require an impractical time investment.

Hope that helps.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

shiflett wrote:Remember to keep your error messages generic, so that an attacker can't reliably determine whether the account exists.
I can't agree more. "Invalid username" and a separate "Invalid password" error give away for too much to narrow things down quickly. We always stick to generic "Login failed" messages and we lock accounts out for 1 hour after the 5th succesive failed login, but we don't change the error message to say the account is locked out otherwise you then know the account exists....
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I hate it when I get locked out of an account because I couldn't remember which password I used for a particular website (or caps-lock was on). I think captchas are a bit better.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Ambush Commander wrote:I hate it when I get locked out of an account because I couldn't remember which password I used for a particular website (or caps-lock was on). I think captchas are a bit better.
Captchas on logins? You know, that's a good idea. Do you mean, only after a failed login, or in general?
programmingjeff
Forum Commoner
Posts: 26
Joined: Fri Jan 05, 2007 10:56 am

Post by programmingjeff »

superdezign wrote:
Ambush Commander wrote:I hate it when I get locked out of an account because I couldn't remember which password I used for a particular website (or caps-lock was on). I think captchas are a bit better.
Captchas on logins? You know, that's a good idea. Do you mean, only after a failed login, or in general?

I've seen both used. As a user, I prefer the former because I have a password manager and therefore my username/password is always right. I feel that having the captcha appear on the first attempted login is a waste of my time.
Post Reply