Simple brute force protection with APC

by Arnold Daniels on 10/13/2007

If you have a system where users can subscribe and choose there own passwords, you are probably a target for brute force attacks like a dictionary attack. You can limit this problem by showing user how strong their password is. However forcing users to enter a really strong password will annoy them, since they like something they can remember.

Another way wall you can put up is blocking an IP address for a few minutes upon a number of login failures. This is not a waterproof protection, but the hacker now requires a botnet to perform the brute force attack. To rent a botnet is quite expensive and to create one is quite difficult, so your average script kiddie doesn’t have one of those. So based on the data you’re protecting this should be a decent defense.

Setting up this defense isn’t difficult. I’ll show an example how to do this with APC.

<?php
  $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}";
  $tries = (int)apc_fetch($apc_key);
  if ($tries >= 10) throw new Exception("You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes.");
 
  $success = login($_POST['username'], $_POST['password']);
  if (!$success) apc_store($apc_key, $tries+1, 600);  # store tries for 10 minutes
   else apc_delete($apc_key);
?>

<?php
  $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}";
  $tries = (int)apc_fetch($apc_key);
  if ($tries >= 10) throw new Exception("You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes.");

  $success = login($_POST['username'], $_POST['password']);
  if (!$success) apc_store($apc_key, $tries+1, 600);  # store tries for 10 minutes
   else apc_delete($apc_key);
?>

Increasing the block time
Blocking an IP might effect a whole office which can be annoying. Starting with a low timeout and increasing it each time an IP is blocked will help against it.

<?php
  $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}";
  $apc_blocked_key = "{$_SERVER['SERVER_NAME']}~login-blocked:{$_SERVER['REMOTE_ADDR']}";
 
  $tries = (int)apc_fetch($apc_key);
  if ($tries >= 10) throw new Exception("You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes.");
 
  $success = login($_POST['username'], $_POST['password']);
  if (!$success) {
    $blocked = (int)apc_fetch($apc_blocked_key);
 
    apc_store($apc_key, $tries+1, pow(2, $blocked+1)*60);  # store tries for 2^(x+1) minutes: 2, 4, 8, 16, ...
    apc_store($apc_blocked_key, $blocked+1, 86400);  # store number of times blocked for 24 hours
  } else {
    apc_delete($apc_key);
    apc_delete($apc_blocked_key);
  }
?>

<?php
  $apc_key = "{$_SERVER['SERVER_NAME']}~login:{$_SERVER['REMOTE_ADDR']}";
  $apc_blocked_key = "{$_SERVER['SERVER_NAME']}~login-blocked:{$_SERVER['REMOTE_ADDR']}";

  $tries = (int)apc_fetch($apc_key);
  if ($tries >= 10) throw new Exception("You've exceeded the number of login attempts. We've blocked IP address {$_SERVER['REMOTE_ADDR']} for a few minutes.");

  $success = login($_POST['username'], $_POST['password']);
  if (!$success) {
    $blocked = (int)apc_fetch($apc_blocked_key);

    apc_store($apc_key, $tries+1, pow(2, $blocked+1)*60);  # store tries for 2^(x+1) minutes: 2, 4, 8, 16, ...
    apc_store($apc_blocked_key, $blocked+1, 86400);  # store number of times blocked for 24 hours
  } else {
    apc_delete($apc_key);
    apc_delete($apc_blocked_key);
  }
?>

Arnold Daniels

I've spend a big part of my life behind a computer, learning about databases (MySQL), programming (PHP) and system administration (Linux). Currently I playing with HTML5, jquery and node.js.

There are 14 comments in this article:

13 October 2007Arnold Daniels says:

My friend and ex-employer Dirk Bonenkamp, came with a slight improvement for this scheme. Blocking an IP might effect a whole office which can be annoying. Starting with a low timeout and increasing it each time an IP is blocked will help against it.

I’ve changed to article to include this solution.
Reply
13 October 2007Jorrit Schippers says:

Would it be an idea to clear the blocked count when a login has been successfull?
Reply
13 October 2007Arnold Daniels says:

Yes I have that in my own code, but I failed to put it in this sniplet.
Reply
14 October 2007Andrew Magruder says:

You’ll want to be careful with doing this thing just on IP basis, because once you get sufficient loading you’ll essentially perma-block AOL customers (as one example ISP) because they all pretty much show up as a very small set of IPs. More information here: http://webmaster.info.aol.com/proxyinfo.html

The net result is a moderate-to-high load implementation of this needs to support varying threshold levels on a per IP basis. Wikipedia has a good list of widely used ISP proxy IPs as well. They’ve managed to get most folks to set the XFF-Forwarded-For header but that’s still a bit dicey to rely on.

Another idea that I’ve seen used with some success is simply slowing down response times for IPs which have high failure rates, instead of outright blocking them. (You can cut their throughput by 3-4x without significant user experience issues.)

Andrew
Reply
22 December 2007xLight says:

oh, a good idea . use APC as a cache
Reply

Jasny · web development