Can someone give me some guidance on this?
I am implementing a system where if a user fails the login, I am doing
a thread.sleep(ra ndom number).
If I returned the page right away, you could write a script to try many
username/password combos per second. Using this, it will slow down the
person by making them wait at least a few seconds for a bad
username/password.
I am also implementing some other features like a CAPTCHA image and
other stuff I won't bother listing. But what I am wondering is what
impact this will have on the performance of my application.
For the X seconds that the thread is sleeping, it won't be able to
process incoming requests. Is there a chance that other requests will
have been queued up for this thread and will basically be blocked by
the sleep command?
4  3238 
Yes, this could cause blocking problems (since there are a limited number of
threads) so I wouldn't recommend it.
It also wouldn't achieve your goal since incoming requests are processed by
different threads.
I'd suggest a more conventional approach such as locking the account
(temporarily?) if too many invalid login attempts are made.
--
I hope this helps,
Steve C. Orr, MCSD, MVP http://SteveOrr.net
"cmay" <cm**@walshgrou p.com> wrote in message
news:11******** **************@ z14g2000cwz.goo glegroups.com.. . Can someone give me some guidance on this?
I am implementing a system where if a user fails the login, I am doing
a thread.sleep(ra ndom number).
If I returned the page right away, you could write a script to try many
username/password combos per second. Using this, it will slow down the
person by making them wait at least a few seconds for a bad
username/password.
I am also implementing some other features like a CAPTCHA image and
other stuff I won't bother listing. But what I am wondering is what
impact this will have on the performance of my application.
For the X seconds that the thread is sleeping, it won't be able to
process incoming requests. Is there a chance that other requests will
have been queued up for this thread and will basically be blocked by
the sleep command?
Steve,
So I guess if the hacker was spawing a bunch of threads you are right,
that it would be the same if they have 1 process hitting the login page
10 times / second, or 100 threads hitting the page 1 / 10 seconds, it
would still be 10 hits / second on avg.
Thanks for the advice!
It will likely cause threading problems for you, the worker process only has
so many threads to use at any time and your effectively locking them up.
try instead ending the session and adding the IP to a list of locked IP's .
In session start check if the IP of the requester is in the list and if it
is then reject the request. You could try sending a response.redire ct to
the browser on a failed attempt to delay the requester even further.
--
Regards
John Timney
ASP.NET MVP
Microsoft Regional Director
"cmay" <cm**@walshgrou p.com> wrote in message
news:11******** **************@ z14g2000cwz.goo glegroups.com.. . Can someone give me some guidance on this?
I am implementing a system where if a user fails the login, I am doing
a thread.sleep(ra ndom number).
If I returned the page right away, you could write a script to try many
username/password combos per second. Using this, it will slow down the
person by making them wait at least a few seconds for a bad
username/password.
I am also implementing some other features like a CAPTCHA image and
other stuff I won't bother listing. But what I am wondering is what
impact this will have on the performance of my application.
For the X seconds that the thread is sleeping, it won't be able to
process incoming requests. Is there a chance that other requests will
have been queued up for this thread and will basically be blocked by
the sleep command?
> So I guess if the hacker was spawing a bunch of threads you are right, that it would be the same if they have 1 process hitting the login page
10 times / second, or 100 threads hitting the page 1 / 10 seconds, it
would still be 10 hits / second on avg.
Here's an example your application could emulate, from the Windows NT / 2000
/ XP / 2003 Group Policy Editor:
# of invalid logon attempts before disabling the user account: 3
So I, as the malicious user, try this:
Username: MLabosh
Password: 123
[fails on invalid password]
Username: MLabosh
Password: 456
[fails on invalid password]
Username: MLabosh
Password: 789
[fails on invalid password]
[account locked out]
Username: MLabosh
Password: WXJ45_*b; [correct password]
[Access denied: Too many invalid logon attempts]
--
Peace & happy computing,
Mike Labosh, MCSD
"Mr. McKittrick, after very careful consideration, I have
come to the conclusion that this new system SUCKS."
-- General Barringer, "War Games"
"cmay" <cm**@walshgrou p.com> wrote in message
news:11******** **************@ g47g2000cwa.goo glegroups.com.. . Steve,
Thanks for the advice! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: COMfused |
last post by:
I have a thread that has a delegate function which will be called when
another process exits. This thread went to sleep, the process exits and is
supposed to call the delegate, but it did not happen. When the thread wake
up, the function is not called either.
The question is, will a thread ignore all the callback when it is sleeping?
|
by: Alvin Bruney |
last post by:
I'm observing that a sleeping thread changes to stopped after a while. Is
that accepted framework behavior for web applications?
My thread basically does some work, and sleeps for 60 minutes before calling
itself recursively, which means it is supposed to run on the hour every
hour. But it automatically stops after 2 hours. I only get 2 emails, 1 per
hour and then nothing. When I examine the threadstate during run-time, it
has changed...
|
by: Muscha |
last post by:
Hello,
I have a thread that in the middle of the execution I did Thread.Sleep().
How do I tell this thread to abort it sleep and continues? Is there a way?
thanks,
/m
|
by: Cider123 |
last post by:
I ran into a situation where my Window Service had to process 100,000+
files, when I first noticed I needed to tweak various routines.
Everything runs fine, but here's what I ran into:
In the routine that loops through the file buffer:
for (int i=0;i < _Buffer.length; i++)
{
// Code here
|
by: scorpion53061 |
last post by:
I have MS Word operating in a thread other than the main writing a report.
Can I tell the main thread to wait until a particular point (a sub starts)
in another thread before continuing on?
| | |
by: Scott M. Lyon |
last post by:
I've got an application that, in the main form, Starts up a thread. That
thread consists of an endless loop (a WHILE TRUE loop), at the end of each
iteration is a Sleep() command, so it will sleep for 5 seconds between each
run.
I need this thread to poll for some database changes, and update data on the
form when it does.
|
by: Benny Raymond |
last post by:
I have a thread that sleeps for 5 minutes once it's finished running a
method and then it repeats itself if it's supposed to (bool = true).
Prior to 2.0 I was able to resume the thread after marking the bool to
false which would cause the thread to finish what it was doing and
complete, or to wake up for it's sleep state and not loop back into
itself anymore.
How do we tell a thread to stop sleeping now that Thread.Resume is obsolete?
|
by: Mark |
last post by:
We are building a public web application that calls a web service on an
internal box. The web service runs for 5-10 minutes, does some heavy
processing, and writes to a database when it is complete. The current design
calls for having the web application's thread sleep for 10 seconds, then
check the database to see if the web service is complete. If the database
claims the web service has completed, it then displays the results from the...
|
by: Buckaroo Banzai |
last post by:
Hello, newbie here...
I'm writing this program but when I click the start button which should initiate either the Hare or the Tortoise, it does not, this is the first time I use threads, so the problem might be the way I'm passing the value.
can someone please take a look at this code and maybe give me some guidance on what I'm doing wrong.
Please note there are 3 separate files with the corresponding classes, I separated it with ===>...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
