Setting a timer in between incorrect logins

Question

i have a finishing touch for my login form and want to set a 2 second timer in between invalid logins.

I had two different ideas, one would be to set a cookie that expired in X amount of seconds. Then on login, check if there is a cookie set.

I am not sure however if a user can refuse to let a website set a cookie? So this could be got around.

The second idea is new DB table with the fields 'IP' and the time of invalid login.

On invalid login, a field would be created with the users IP and then the time. Upon logging in i would check this table for a matching ip and if the login time is less than X amount of seconds it is refused.

But this could be also got around using IP proxies etc?

The aim of doing this would be to prevent DDOS brute force attacks, and im guessing someone trying to do this would be quite aware of how to fake an IP / disallow cookies.

What is the best way for this?

Answer 1

DDOS has nothing to do with it. DDOS = Distributed denial of service, it means someone will trigger a lot of computers to ask for a service in your website and your server won't be able to handle the load. This will prevent your server to give a service for "honest" users and that's why it's called "denial of service".

Preventing DDOS attacks can be tricky. The only way of handling it, is not providing a service to certain IP's or users with IPs from the areas you're being attacked from.

If you want to protect your site from brute force attack (assuming someone wants to hack into a user account) you should:

1. Use a good and well secured logging system. That means, using a good hashing function and salting the users passwords.
2. Use your second option - record the IP of a user who failed to access his account and don't let him try for 2-3 seconds. If he fails 2-3 more times, block him for 15 minutes, this will be enough time to protect your users accounts.

Answer 2

Cookies can be disabled in browser. All modern browsers support such a feature. When security is a concern, never rely on client.

A really simple approach is delaying the announcement of success/failure of login. Just call sleep. This is however not safe as many attempts to login can be made in parallel. A single-threaded attack is slowed down, though.

When storing info about last attempts to login, you should consider what info is really good for blocking a brute-force attack on your login system.

• When forcing timeout between login attempts on a username, the attacker could try the same password for all logins and by the time he wants to try another password, the login delay for first username already expires.
• Forcing login delay for an IP address is better approach as IP addresses are a rather limited resource for an attacker. When performing a distributed attack, the delay is not forced between all attempts, it is forced between all attempts from the same IP address.

Combining more methods is a good idea, anyway, as well as logging all attempts to log in.

See also

• Securing login forms from brute-force attacks using queues @ Dream.In.Code
• What is the best method to prevent a brute force attack?
• How can I throttle user login attempts in PHP* increasing time delay for login to stop bruteforcing, good idea?
• How to delay login attempts after too many tries (PHP)

Answer 3

Here's some info on DDOS in a PHP environment that might be helpful:

How to enable DDoS protection?