1

i have a finishing touch for my login form and want to set a 2 second timer in between invalid logins.

I had two different ideas, one would be to set a cookie that expired in X amount of seconds. Then on login, check if there is a cookie set.

I am not sure however if a user can refuse to let a website set a cookie? So this could be got around.

The second idea is new DB table with the fields 'IP' and the time of invalid login.

On invalid login, a field would be created with the users IP and then the time. Upon logging in i would check this table for a matching ip and if the login time is less than X amount of seconds it is refused.

But this could be also got around using IP proxies etc?

The aim of doing this would be to prevent DDOS brute force attacks, and im guessing someone trying to do this would be quite aware of how to fake an IP / disallow cookies.

What is the best way for this?

Lovelock
  • 7,689
  • 19
  • 86
  • 186
  • 1
    Your cookie approach is totally and utterly useless – PeeHaa Dec 24 '13 at 23:41
  • 2
    Also as you already pointed out throttling based on ip is also pretty crappy. What about ip throttling *and* username throttling? I.e. log attempts based on username. Aaaaaand also keep a list of known likely valid ips. That's how e.g. gmail does it. – PeeHaa Dec 24 '13 at 23:43
  • 1
    @ItayGal sorry, forgot about this question! Marked as the accepted answer and thanks for the help :) – Lovelock Jan 28 '14 at 08:41

3 Answers3

3

DDOS has nothing to do with it. DDOS = Distributed denial of service, it means someone will trigger a lot of computers to ask for a service in your website and your server won't be able to handle the load. This will prevent your server to give a service for "honest" users and that's why it's called "denial of service".

Preventing DDOS attacks can be tricky. The only way of handling it, is not providing a service to certain IP's or users with IPs from the areas you're being attacked from.

If you want to protect your site from brute force attack (assuming someone wants to hack into a user account) you should:

  1. Use a good and well secured logging system. That means, using a good hashing function and salting the users passwords.
  2. Use your second option - record the IP of a user who failed to access his account and don't let him try for 2-3 seconds. If he fails 2-3 more times, block him for 15 minutes, this will be enough time to protect your users accounts.
Itay Gal
  • 10,706
  • 6
  • 36
  • 75
  • Okay ill set about the second option. Can someone possibly hide their IP? or keep it changing? Once its working i guess i could work on a way to keep track of 'flagged' ips that would be blocked 100% etc. My password system is salted etc, and i am trying to stop the brute force attack from becoming a DOS so im hoping this system will help – Lovelock Dec 24 '13 at 23:50
  • You can't change your IP (actually you can, but not in a brute force scale) but you can hide behind a proxy server and access a service from a multiple IPs. Keeping a black list of a problematic IPs is a good idea but you can also do some damage to yourself by blocking true users that uses the same IPs later on. – Itay Gal Dec 24 '13 at 23:56
  • Sure you can "change" your ip. Botnets are pretty cheap nowadays (so I have heard ;-) ). – PeeHaa Dec 24 '13 at 23:58
  • this is my issue, people who are trying to bruteforce their way in will be wised up enough to use botnets and such so my whole system could be come irrelavent – Lovelock Dec 24 '13 at 23:58
  • @PeeHaa I meant your actuall IP, not the one you show to the world :). – Itay Gal Dec 25 '13 at 00:00
  • @user2921557 building a strong defense system is not an easy task. Is your service so important? As you can see in the link that was provided in the second answer, sometimes it's not worth investing a lot of money and work to defend your system. In case the damage is not significant in terms of money or reputation, you can be satisfied with a simple defense system. – Itay Gal Dec 25 '13 at 00:06
  • currently not, the website wont be me 'massive' but for me its not quite about whats needed now, but for the future. Maybe not in this project or the next, but im still learning and trying to get my security tight and learn as much as i can in this field of php. Ill create the ip tracking system as it will allow me to create some data and also if i see a huge spike i could manually look into things etc. Thanks for the replies :) – Lovelock Dec 25 '13 at 00:08
  • @ItayGal Well yes but in this case it is about the ip you use to connect I would say. – PeeHaa Dec 25 '13 at 00:09
2

Cookies can be disabled in browser. All modern browsers support such a feature. When security is a concern, never rely on client.

A really simple approach is delaying the announcement of success/failure of login. Just call sleep. This is however not safe as many attempts to login can be made in parallel. A single-threaded attack is slowed down, though.

When storing info about last attempts to login, you should consider what info is really good for blocking a brute-force attack on your login system.

  • When forcing timeout between login attempts on a username, the attacker could try the same password for all logins and by the time he wants to try another password, the login delay for first username already expires.
  • Forcing login delay for an IP address is better approach as IP addresses are a rather limited resource for an attacker. When performing a distributed attack, the delay is not forced between all attempts, it is forced between all attempts from the same IP address.

Combining more methods is a good idea, anyway, as well as logging all attempts to log in.

See also

Community
  • 1
  • 1
Palec
  • 12,743
  • 8
  • 69
  • 138
1

Here's some info on DDOS in a PHP environment that might be helpful:

How to enable DDoS protection?

Community
  • 1
  • 1
Michael Schock
  • 575
  • 5
  • 8