1

I have a Plone Site where anonymous users create a "Subscription" object for a conference.

Fact is: a malicious user can call this screen a lot of times and crash my site. I can use a captcha to avoid it, but I would like to use it only after "x" attempts of the same user, something like the SO approach when a user tries to post a lot. Is there a module that does this for me? Show a recaptcha after a user tries the same url too many times?

Somebody still uses you MS-DOS
  • 13,029
  • 20
  • 64
  • 103
  • 2
    A DDoS (two D, the first one standing for *distributed*) attack specifically relies on not sending all the requests from one client but instead sending them from many different ones. Depending on the size of the bot network and your server's power, limiting the number of requests per user to K isn't enough. –  Jun 13 '11 at 17:57

2 Answers2

2

For a start content in not the solution to everything. In your case having a custom content type for handling subscriptions seems like an overkill. Always ask yourself if what you are doing is really content-ish. Does it need to be contained, navigable, searchable whatever else content can be? For a conference subscription definitely not. In brief you could:

  1. Create a form and save its data in lighter objects than full content or use sql.
  2. Use Products.PloneFormGen, which also has captcha support.

Concerning the captcha if you go the manual way and create everything yourself, you could use cookies to "remember" visits. See How do you get and set cookies in Zope and Plone?

Community
  • 1
  • 1
ggozad
  • 13,105
  • 3
  • 40
  • 49
  • But I need to persist this information. I need to use a Content Type in ZODB or a Relatinal Database for it, no? Which other "light" objects could I use? – Somebody still uses you MS-DOS Jun 14 '11 at 13:33
  • 1
    Yes you do need to persist but not with a full AT object! PloneFormGen has this built-in. If you go custom you can use a btrees or sql... You just don't need all the AT cruft with you. – ggozad Jun 14 '11 at 16:31
1

It's obvious that your system is subject for manipulations in form of mass-registrations in every way without further measures like a captcha or additional email validation after submission of the registration form. But this is independent of flow control, DDOS etc.