Blog (workarounds: avoid ', use '&apos' instead)
 

Login Flood Control
rickatech 2019-11

Related [edit]

Inevitably a web page or application evolves to the point where it benefits from users logging in to see content and services tailored to their needs.  Enabling login with a username and password checked against a simple list or sophisticated backend database intrinsically is rather straight forward.

However, anything that can be accessed on the Internet can also be attacked en masse by essentially anonymous malicious web crawling agents, often referred to as 'bots' or 'botnets'.  The agents exploit crimes of opportunity, and will check the dynamics of web login pages for simple ways to gain access.  A time honored tactic is to randomly attempt to guess login and passwords, and if a site is not sophisticated, thousands of guesses per second can be made.  This page illustrates a flood control approach to detect excessive login attempts in a short period of time from the same IP address.  There are more sophisticated mechanisms for thwarting malicious agents trying to crack a web login, but this approach is quite effective in significantly increasing the amount of work needed to hack a login.  The more time and work required to hack a site, the less chance that agents will bother, moving on to less difficult targets.


edit | log