Flood control & website security?

[brewzer_bob]

Ok first I'm new on here I've searched many different topics and have not really found what I’m looking for so I'm gonna ask?We have been tasked to remove "client certs" on our website and in doing so we have also been tasked to prevent flood control (i.e. password attempts with a time period)... Sort of like only allowing a person to post one message on a bulletin board within a certain time period etc.So we have come up a pretty complicated algorithm that is IP based with say " threshold" and different events (one might be a valid Client ID and 5 invalid passwords) that will say lock the IP for a certain amount of time... At a high level this seems pretty easy and straight forward but as we delve deeper into the "what if's" it becomes very complicated? Say for example we have a client base that all uses the same outgoing IP address and as typical users they come in at 8 am (say there's 50 or so), and say 5 of them type and invalid password by say 8:05 then it might be we block the entire client base from logging in? One solution we have thought of is having say a list (table) of known good IP address that say have a more laxed "threshold"?Anyway I know this can be a lengthy topic but I was wondering if there was anything anyone knew about that already exists for this type of behavior and I don’t think a 3’rd party tool is feasible as the tech lead feels this is a trivial task? Maybe it is but it just seems to me that 3-6 tables with flexible thresholds, locking IP’s, holding states etc is over kill? Any suggestions would be helpful?Thanks.

[Skemcin]

I'm a cold fusion programmer so I am not sure the way I am able to handle things is applicable to other programming languages. But for flood control, I can base triggers off of session IDs (unique temproary IDs establish when a visitor connects to the website and only last as long as they are there). Since I use a consistant naming convention for my pages and have them organized a certain way, I know that the only pages that "do" anything are my xxxxxx-action.cfm pages - where xxxxxx is the prefix that denotes the application - myaccount-action.cfm or search-action.cfm (for instance). On these action pages I am able to literally stop the execution of the script based on the combination of looking at the session ID and the last time I timestamped the session.lastaction variable. So a little function I call at the top of every action page basically looks up the sesison id, takes the current timestamp, subtracts the threshold I've determined, and then compares that to the session.lastaction variable. If the variable is less than the calculated number, then I allow the rest of the action page to be processed, and if not, then I abort the process and redirect to a flood message. Of course, this technique allows me to incorporate a default (not logged in) threshold as well as dynamic threshold based on the user ID or user group once logged in (overriding the default threshold value). Again, with Cold Fusion, my global application files (the one that runs before everything else and one that runs after everything else) have sniffers that determine if the filename that is being processed contains "-action.cfm" so I can perform the checks based on that condition - centralizing the maintenance of this feature.Does this make any sense?

[brewzer_bob]

Yes this makes since I currently validate the session Guid on load of every page as well, however this bigger issue that we have a variable amount of "trigger events" that may have different threasholds? One event might be an invalid password, another might be valid user id and password but invalid client id...Once their logged in correctly I can assume all is well and clear the "Blocked" table...Maybe I'm still in design mode at this point.I'm starting to think after much research google etc...I'm stuck to some sort of nasty algorithm to resolve each type of "event"...Now I'll have to determine how to clear my tables as they will grow and grow and grow...However thanks for the response maybe someone might know another way to tackle this.

[Skemcin]

Correct me, but it seems that you chief concern is just the initial log in. So if every log inform you have posts to the same authentication page/process, then you should be able to figure something out there without too much effort.Peicing through what you have outlined, I am thinking that its just a matter of setting a series of variables as defaults, then as each variable condition is passed or fail, you'd increment a cooresponding session variable. At teh top of the page, your conditions for handling these thresholds would be check first - catching any one that was maxed out.So, let say you have these thresholds:a.) uname and pword not match = 3 toleranceb.) uname and pword ok, but client id not match = 2 tolerancec.) uname, pword, cID ok but wrong IP = 1 toleranceLets say you have a log-authentcation page that performs the task of loggin someone in. At the top of the page, set a default session variable for each tolerance (i'm gonna talk Cold Fusion here as an example):

<cfparam name="session.up_threshold" default="3"><cfparam name="session.cid_threshold" default="1"><cfparam name="session.ip_threshold" default="0"><cfparam name="session.up_badmatch" default="0"><cfparam name="session.cid_badmatch" default="0"><cfparam name="session.ip_badmatch" default="0">

(in Cold Fusion cfparam sets a value of a variable if it doesn't already exist)Then, you do your query and determine which scenario has occured. If you find that its a bad client id:

<cfset session.cid_badmatch=session.cid_badmatch+1>

and then redirect to the login page explaining what went wrong.If the next attempt was a bad password, then you do the same for that variable:

<cfset session.up_badmatch=session.up_badmatch+1>

Then build conditions to catch the times when the the badmatches equal the thresholds

<cfif session.up_badmatch=session.up_threshold>You've entered your uname and pwrd incorrectly too many times . . . </cfif><cfif session.cid_badmatch=session.cid_threshold>You've client ID doesn't match for the uname and pword submitted . . . </cfif><cfif session.ip_badmatch=session.ip_threshold>You do not have authority to access this account from that PC . . . </cfif>

(all these at the top of the page)I'm, of course, hoping this makes some sense or maybe is of some help. In any respect, good luck with you application. Let me know if I you need anything else or want to run some logic by me.