All geek questions in one place

How to delay password verification check in ASP.NET MVC application?

I want all attempts to enter my web application to take at least 1 second to make brute force attack less feasible. If I just add something like this to my code:

Thread.Sleep(1000)

I expect that I became susceptible to a very simple DDos attack: just run a few dozen requests to enter the site, and the thread pool will starve. (I don't think Thread.Sleep returns a thread to a thread pool, right?)

What is the correct way to implement this function?

+6
source share
2 answers

What you could do instead of a sleeping thread (you're right to worry about hunger) is to have a sliding window based on failed login attempts for a given username. You can store this in a cache in memory and ignore login attempts for this username if the sliding window has not passed yet.

There is a decent blog post about a possible implementation of this here:

Brute Force Protect Your Website

+5
source

If you want to make brute force attacks less feasible, why don't you implement a lock (force password reset) after (say) 3 incorrect attempts to log into one account without interfering with the correct login?

If you need DDOS protection, I would deal with this separately - quite possibly, with something before the traffic starts from your web server. It really depends on whether you will

I don't know if there is an easy way to delay a response asynchronously in ASP.NET at the moment. I expect that with async included in C # 5 and .NET 5, you can return a Task<ActionResult> , after which you can write something like:

 await Task.Delay(1000);
+3
source

Source: https://habr.com/ru/post/893928/

More articles:


All Articles