How to stop too many requests in web applications?

Question

I am looking for alternative security cautions for Apache web server. I generally work with PHP and MySQL.

For processes like user login, I keep IP address, try count, and last try time in database, so if someone tries more than x times in last n minutes or seconds, I simply block IP address.

When there are a lot of different processes like user login, keeping IP addresses in database does not sound right (because of decreasing performance and a lot to do). I know if you want security, you need to sacrifice some performance but is there a better way to stop users making too many requests? Maybe a module to Apache? Or a lower level caution to server? I am especially trying to avoid unnecessary database work.

I considered using CAPTCHA but using it for every form kills user experience. And using it after x request in n minutes still requires first technique i mentioned.

A cache system might help but i can't see how it prevents a brute force attack or filling up database with garbage. AFAIK it only helps to reading from database (please correct me if i am wrong).

Nir Levy · Accepted Answer

Other than @ranty's comment above (which is suitable unless you really have a lot of users at the same time), you could use a memory cache system such as memcached. It have a nice php interface and is very easy to use.

Dump every login attempt to memcache (using ip address as key and trycount as value, cleared by timespan). It's fast and should not cost too much in performance or development effort.

Pseudo code for this would look like this:

$memcache_obj = memcache_connect('memcache_host', 11211);
$ip = $_SERVER('REMOTE_ADDR');
$trycount = memcache_get($memcache_obj, $ip);
if ( $trycount == null ) $trycount=0;
if ( $trycount > 3 ) die('bad user');
memcache_set($memcache_obj, $ip, $trycount++ , 0, 30);

How to stop too many requests in web applications?

Answers (2)

Related Questions