1

We are running a Spring MVC / Security 3.x web application with a protected area behind a login. In order to improve our security, we would like to add an increasing delay each time a malicous user or bot retries failing logins (against brute-forcing), like described by Jeff below the headline "Limiting the number.." or at OWASP.

Our application runs in Tomcat 7 with Servlet Spec v2.5 which means we do not have asynchronous servlets, and Thread.sleep() is a no-go anyway, because this would block the executing thread (like here) and quickly exhaust the thread pool for processing, effectively resulting in a DoS attack against our server. Others have been pointing this out already, so my question is:

  • How can I add an arbitrary delay to servlet processing without resorting to multithreading on the server side?

I would like to avoid setting up a custom thread pool for processing, since the servlet spec also states that passing the request / response objects to other threads is not thread-safe (chapter 2.3.3.3 in the Servlet spec linked above).

Thanks a lot for your help!

Axel Knauf
  • 1,683
  • 1
  • 13
  • 18
  • I don't think it's a good idea to add this into code. You can probably do it easier on the reverse proxy level. – Kayaman Apr 14 '16 at 07:40
  • @Kayaman Thanks for your comment. Unfortunately I do not have control over the infrastructure but will raise this as a question with our hoster. – Axel Knauf Apr 14 '16 at 07:44
  • You can do the _opposite_ - store a `Map`, where `Something` you will have decide yourself; IP should be sufficient for most uses. Then, when a user tries to log in, if they are not present in the `Map` and fail to log in, enter them into the `Map` and set the number of failed attempts to `1`. Now, when they exceed a certain number of failed attempts in a time window, then fail all their logins until that window expries. This way, your server doesn't wait but you do prevent brute force. – Boris the Spider Apr 14 '16 at 07:44
  • 1
    This is definitely something that should be configured on the proxy side. They're meant for that and already have [the tools](https://www.knthost.com/nginx/brute-force-protection-nginx-proxy). – Kayaman Apr 14 '16 at 07:57
  • @Kayaman Thanks for the link, very useful! – Axel Knauf Apr 14 '16 at 08:12

0 Answers0