1

I am writing a simple solution for brute force login attempts. I need to add delay before sending the response if there were many failed attempts. What do you guys suggest to add delay for individual requests? It has to be per request so that the thread serving a particular resource should not be affected for the next request.

Thanks.

EDIT: According to this question when running on Apache on Webfaction time.sleep will delay the next request to the same resource.

So what could be an alternative to time.sleep in this case?

Community
  • 1
  • 1
maulik13
  • 3,656
  • 1
  • 25
  • 36

3 Answers3

1

Downvote me if I'm wrong, but I think each thread only processes one request at a time. Thus, if you want a slow request, just do a time.sleep in that thread and the server will take a longer time to process it without affecting the other concurrent requests.

Claudiu
  • 224,032
  • 165
  • 485
  • 680
  • I understand that it would depend on the web server? – maulik13 Mar 25 '13 at 19:59
  • @maulik13: what server are you using, then? – Claudiu Mar 25 '13 at 19:59
  • At present I am on Django's dev server. I have not decided the production web server yet. – maulik13 Mar 25 '13 at 20:00
  • 1
    @maulik13: django's dev server only processes one request at a time. you're right that it depends on the server. if you have an asynchronous server then it will have a particular way to delay a request. if you have a threaded synchronous server then what I wrote is accurate, and maybe you can find a way to add another thread to the thread pool while the current one does nothing. – Claudiu Mar 25 '13 at 20:06
  • You are right about one thread per request, that is true for Django dev server based on its documentation. – maulik13 Mar 25 '13 at 20:08
  • According to this link when running on Apache on Webfaction time.sleep will delay the next request to the same resource. http://stackoverflow.com/questions/15084367/django-sleep-pauses-all-processes-but-only-if-no-get-parameter – maulik13 Mar 25 '13 at 20:57
1

If you delay response in threaded server, your service will be prone to DOS-attack. Attacker may send may requests at once, and all your threads will sleep at once...

You should better to ask CAPTCHA if there are too many attempts from same IP.

Upd: I would use Twisted (or Tornado, but I never used it) and nginx (not Apache) as frontend. You may even use both Twisted and Django, but you will have to write code that imitates Django auth and session with Twisted, writing proper data into database.

monoid
  • 1,661
  • 11
  • 16
  • Yes that is true. And hence I am trying to find if I could make this delay asynchronous without affecting subsequent requests to the same resource. – maulik13 Apr 05 '13 at 09:01
  • I believe you cannot do it with Django :( – monoid Apr 05 '13 at 10:20
  • I see. Is there any framework or tool to help do non-blocking delay? – maulik13 Apr 05 '13 at 18:34
  • 1
    I would use Twisted and nginx (not Apache) as frontend. You may even use both Twisted and Django, but you will have to write code that imitates Django auth and session with Twisted, writing proper data into database. – monoid Apr 06 '13 at 03:21
  • Could you please add this to your answer? I will upvote that as well. – maulik13 Apr 06 '13 at 10:29
0

Http is a stateless protocol. The only way to connect requests is to store the session information somewhere client side. Since you cant control client behavior, the best chance is to log failed login attempts on the serverside and delay login routine for those accounts.

Jingo
  • 3,200
  • 22
  • 29
  • I am not looking for linking state of a user to the delay. I already know which IP and user to respond to. I am looking for a way to add this delay for individual request without blocking other requests. – maulik13 Mar 25 '13 at 20:10
  • Thats what I am talking about. Relying on IP is not a good idea btw, you may lock out people from shared IPs... – Jingo Mar 25 '13 at 20:11
  • I know the risk. But this is only for logging in. And it's only few (may be 2-5) seconds of delay. – maulik13 Mar 25 '13 at 20:12
  • And particularly this is useful when a user_name is known and there are many failed attempts registered for that user. In that case it's just to check that a particular user_name is attempted and then it's add delay for that response. – maulik13 Mar 25 '13 at 20:16
  • 1
    @maulik13: a simpler solution might be to record in the database the last few login attempts, and if there are too many then return a message like "Access denied: Too many login attempts. Try again in a few seconds." then you don't have to delay on the server-side, but you also don't let the person brute force that effectively. – Claudiu Mar 25 '13 at 20:22
  • @Claudiu It is definitely a simpler solution, I will keep this in mind. – maulik13 Mar 25 '13 at 20:34