Response delay tactic depletes PHP processes

  • Resolved Rolf Allard van Hagen

    (@ravanh)


    11 years, 10 months ago

    Hi,

    After running this plugin, I found that the response delay upon failed login attempts is fine against small attacks but if there is a full blown brute-force attack going on, the web server runs out of available PHP processes very quickly. It starts responding with “Bad Gateway” or “Service Unavailable” messages depending on server setup.

    I am guessing in a large scale attack all processes are hogged for about 25 to 60 seconds (at least with the default plugin settings) by the delayed response. As soon as the max number of PHP processes has been reached, ALL subsequent requests get denied. And this included normal page requests!

    So effectively, this plugin turns a brute-force attack into a denial of service attack 😉

    Kidding aside, I’d like to propose that the second tier uses a different method: return a simple 503 or 403 response instead of an increased response delay.

    In the mean time I’m forced to switch back to Limit Login Attempts because I cannot afford a plugin bringing my sites down, even as a measure of protection 🙁

    https://ww.wp.xz.cn/plugins/login-security-solution/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Daniel Convissor

    (@convissor)

    11 years, 9 months ago

    Yeah. I know this is a problem. I’m contemplating ways to fix it.

    Thread Starter Rolf Allard van Hagen

    (@ravanh)

    11 years, 9 months ago

    Hi Daniel, that’s good news.

    My proposal would be

    … that the second tier uses a different method: return a simple 503 or 403 response instead of an increased response delay.

    burneplasmafire

    (@burneplasmafire)

    11 years, 9 months ago

    I’ve decided to try out the Limit Attempts plugin and it seems like an effective solution for the moment. But I’m keen to see what you come up with for a new version of LSS.

    Plugin Author Daniel Convissor

    (@convissor)

    11 years, 8 months ago

    Oh, I forgot to mention. If you set the “Match Time” setting to 0 “disables Login Failure slow downs, notifications and breach confirmations.”

    Plugin Author Daniel Convissor

    (@convissor)

    11 years, 7 months ago

    Release 0.47.0 includes code that stops the delays after the “DoS Tier” setting is reached. Default value, 500.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Response delay tactic depletes PHP processes’ is closed to new replies.