How to delay / throttle login attempts in ASP.NET?

Question

I'm trying to do some very simple request throttling on my ASP.NET web project. Currently I'm not interested in globally throttling requests against DOS attacks, but would like to artificially delay the reponse to all login attempts, just to make dictionary attacks a bit harder to do (more or less like Jeff Atwood outlined here).

How would you implement it? The näive way of doing it would be - I suppose - to simply call

Thread.Sleep();

somewhere during the request. Suggestions? :)

Answer 1

I got the same idea as you on how to improve the security of a login screen (and password reset screens). I'm going to implement this for my project and I'll share my story with you.

Requirements

My requirements are in following points:

• Do not block individual users just because someone is trying to hack in
• My user names are very easy to guess because they follow a certain pattern (and I do not like security by obscurity)
• Do not waste server resources by sleeping on too many requests, the queue would overflow eventually and requests would start timing out
• Provide a swift service to most users 99% of the time
• Eliminate brute force attacks on the login screen
• Handle distributed attacks as well
• Needs to be reasonably thread-safe

Plan

So we shall have a list of failed attempts and their time stamp. Every time we have a login attempt, we'll check this list and the more there are failed attempts, the longer it will take to login. Each time we'll prune old entries by their time stamp. Beyond a certain threshold, no logins will be allowed and all login requests will be failed immediately (attack emergency shut-down).

We do not stop with the automatic protection. A notification should be sent to admins in case of the emergency shut-down so that the incident can be investigated and reparation measures can be taken. Our logs should hold a firm record of the failed attempts including the time, user name and source IP address for investigation.

The plan is to implement this as a statically declared queue, where failed attempts enqueue and old entries dequeue. the length of the queue is our indicator of severity. When I've got the code ready, I'll update the answer. I might include Keltex's suggestion too - releasing the response quickly and completing the login with another request.

Update: There is two things missing:

1. The redirect of the response to a wait page not to clog the request queue and that is a little biggie obviously. We need to give the user a token to check back later with another request. This could be another security hole so we need to be extremely cautious about handling this. Or just drop that Thread.Sleap(xxx) in the Action method :)
2. The IP, dooh, next time...

Let's see if we can get through that eventually...

What's done

ASP.NET page

ASP.NET UI Page should have minimum hassle, then we get an instance of a Gate like this:

static private LoginGate Gate = SecurityDelayManager.Instance.GetGate<LoginGate>();

And after login (or password reset) attempt, call:

SecurityDelayManager.Instance.Check(Gate, Gate.CreateLoginAttempt(success, UserName));

ASP.NET handling code

The LoginGate is implemented inside the AppCode of the ASP.NET project so it has access to all the front-end goodies. It implements the interface IGate which is used by the backend SecurityDelayManager instance. The Action method needs to be completed with wait redirection.

public class LoginGate : SecurityDelayManager.IGate
{
    #region Static
    static Guid myID = new Guid("81e19a1d-a8ec-4476-a187-3130361a9006");
    static TimeSpan myTF = TimeSpan.FromHours(24);
    #endregion

    #region Private Types
    class LoginAttempt : Attempt { }
    class PasswordResetAttempt : Attempt { }
    class PasswordResetRequestAttempt : Attempt { }
    abstract class Attempt : SecurityDelayManager.IAttempt
    {
        public bool Successful { get; set; }
        public DateTime Time { get; set; }
        public String UserName { get; set; }

        public string SerializeForAuditLog()
        {
            return ToString();
        }
        public override string ToString()
        {
            return String.Format("{2} Successful:{0} @{1}", Successful, Time, GetType().Name);
        }
    }
    #endregion

    #region Attempt creation utility methods
    public SecurityDelayManager.IAttempt CreateLoginAttempt(bool success, string userName)
    {
        return new LoginAttempt() { Successful = success, UserName = userName, Time = DateTime.Now };
    }
    public SecurityDelayManager.IAttempt CreatePasswordResetAttempt(bool success, string userName)
    {
        return new PasswordResetAttempt() { Successful = success, UserName = userName, Time = DateTime.Now };
    }
    public SecurityDelayManager.IAttempt CreatePasswordResetRequestAttempt(bool success, string userName)
    {
        return new PasswordResetRequestAttempt() { Successful = success, UserName = userName, Time = DateTime.Now };
    }
    #endregion


    #region Implementation of SecurityDelayManager.IGate
    public Guid AccountID { get { return myID; } }
    public bool ConsiderSuccessfulAttemptsToo { get { return false; } }
    public TimeSpan SecurityTimeFrame { get { return myTF; } }


    public SecurityDelayManager.ActionResult Action(SecurityDelayManager.IAttempt attempt, int attemptsCount)
    {
        var delaySecs = Math.Pow(2, attemptsCount / 5);

        if (delaySecs > 30)
        {
            return SecurityDelayManager.ActionResult.Emergency;
        }
        else if (delaySecs < 3)
        {
            return SecurityDelayManager.ActionResult.NotDelayed;
        }
        else
        {
            // TODO: Implement the security delay logic
            return SecurityDelayManager.ActionResult.Delayed;
        }
    }
    #endregion

}

Backend somewhat thread-safe management

So this class (in my core lib) will handle the multi-threaded counting of attempts:

/// <summary>
/// Helps to count attempts and take action with some thread safety
/// </summary>
public sealed class SecurityDelayManager
{
    ILog log = LogManager.GetLogger(typeof(SecurityDelayManager).FullName + ".Log");
    ILog audit = LogManager.GetLogger(typeof(SecurityDelayManager).FullName + ".Audit");

    #region static
    static SecurityDelayManager me = new SecurityDelayManager();
    static Type igateType = typeof(IGate);
    public static SecurityDelayManager Instance { get { return me; } }
    #endregion

    #region Types
    public interface IAttempt
    {
        /// <summary>
        /// Is this a successful attempt?
        /// </summary>
        bool Successful { get; }

        /// <summary>
        /// When did this happen
        /// </summary>
        DateTime Time { get; }

        String SerializeForAuditLog();
    }

    /// <summary>
    /// Gate represents an entry point at wich an attempt was made
    /// </summary>
    public interface IGate
    {
        /// <summary>
        /// Uniquely identifies the gate
        /// </summary>
        Guid AccountID { get; }

        /// <summary>
        /// Besides unsuccessful attempts, successful attempts too introduce security delay
        /// </summary>
        bool ConsiderSuccessfulAttemptsToo { get; }

        TimeSpan SecurityTimeFrame { get; }

        ActionResult Action(IAttempt attempt, int attemptsCount);
    }

    public enum ActionResult { NotDelayed, Delayed, Emergency }

    public class SecurityActionEventArgs : EventArgs
    {
        public SecurityActionEventArgs(IGate gate, int attemptCount, IAttempt attempt, ActionResult result)
        {
            Gate = gate; AttemptCount = attemptCount; Attempt = attempt; Result = result;
        }
        public ActionResult Result { get; private set; }
        public IGate Gate { get; private set; }
        public IAttempt Attempt { get; private set; }
        public int AttemptCount { get; private set; }
    }
    #endregion

    #region Fields
    Dictionary<Guid, Queue<IAttempt>> attempts = new Dictionary<Guid, Queue<IAttempt>>();
    Dictionary<Type, IGate> gates = new Dictionary<Type, IGate>();
    #endregion

    #region Events
    public event EventHandler<SecurityActionEventArgs> SecurityAction;
    #endregion

    /// <summary>
    /// private (hidden) constructor, only static instance access (singleton)
    /// </summary> 
    private SecurityDelayManager() { }

    /// <summary>
    /// Look at the attempt and the history for a given gate, let the gate take action on the findings
    /// </summary>
    /// <param name="gate"></param>
    /// <param name="attempt"></param>
    public ActionResult Check(IGate gate, IAttempt attempt)
    {
        if (gate == null) throw new ArgumentException("gate");
        if (attempt == null) throw new ArgumentException("attempt");

        // get the input data befor we lock(queue)
        var cleanupTime = DateTime.Now.Subtract(gate.SecurityTimeFrame);
        var considerSuccessful = gate.ConsiderSuccessfulAttemptsToo;
        var attemptSuccessful = attempt.Successful;
        int attemptsCount; // = ?

        // not caring too much about threads here as risks are low
        Queue<IAttempt> queue = attempts.ContainsKey(gate.AccountID)
                                ? attempts[gate.AccountID]
                                : attempts[gate.AccountID] = new Queue<IAttempt>();

        // thread sensitive - keep it local and short
        lock (queue)
        {
            // maintenance first
            while (queue.Count != 0 && queue.Peek().Time < cleanupTime)
            {
                queue.Dequeue();
            }

            // enqueue attempt if necessary
            if (!attemptSuccessful || considerSuccessful)
            {
                queue.Enqueue(attempt);
            }

            // get the queue length
            attemptsCount = queue.Count;
        }

        // let the gate decide what now...
        var result = gate.Action(attempt, attemptsCount);

        // audit log
        switch (result)
        {
            case ActionResult.Emergency:
                audit.ErrorFormat("{0}: Emergency! Attempts count: {1}. {2}", gate, attemptsCount, attempt.SerializeForAuditLog());
                break;
            case ActionResult.Delayed:
                audit.WarnFormat("{0}: Delayed. Attempts count: {1}. {2}", gate, attemptsCount, attempt.SerializeForAuditLog());
                break;
            default:
                audit.DebugFormat("{0}: {3}. Attempts count: {1}. {2}", gate, attemptsCount, attempt.SerializeForAuditLog(), result);
                break;
        }

        // notification
        if (SecurityAction != null)
        {
            var ea = new SecurityActionEventArgs(gate, attemptsCount, attempt, result);
            SecurityAction(this, ea);
        }

        return result;
    }

    public void ResetAttempts()
    {
        attempts.Clear();
    }

    #region Gates access
    public TGate GetGate<TGate>() where TGate : IGate, new()
    {
        var t = typeof(TGate);

        return (TGate)GetGate(t);
    }
    public IGate GetGate(Type gateType)
    {
        if (gateType == null) throw new ArgumentNullException("gateType");
        if (!igateType.IsAssignableFrom(gateType)) throw new Exception("Provided gateType is not of IGate");

        if (!gates.ContainsKey(gateType) || gates[gateType] == null)
            gates[gateType] = (IGate)Activator.CreateInstance(gateType);

        return gates[gateType];
    }
    /// <summary>
    /// Set a specific instance of a gate for a type
    /// </summary>
    /// <typeparam name="TGate"></typeparam>
    /// <param name="gate">can be null to reset the gate for that TGate</param>
    public void SetGate<TGate>(TGate gate) where TGate : IGate
    {
        var t = typeof(TGate);
        SetGate(t, gate);
    }
    /// <summary>
    /// Set a specific instance of a gate for a type
    /// </summary>
    /// <param name="gateType"></param>
    /// <param name="gate">can be null to reset the gate for that gateType</param>
    public void SetGate(Type gateType, IGate gate)
    {
        if (gateType == null) throw new ArgumentNullException("gateType");
        if (!igateType.IsAssignableFrom(gateType)) throw new Exception("Provided gateType is not of IGate");

        gates[gateType] = gate;
    }
    #endregion

}

Tests

And I've made a test fixture for that:

[TestFixture]
public class SecurityDelayManagerTest
{
    static MyTestLoginGate gate;
    static SecurityDelayManager manager;

    [SetUp]
    public void TestSetUp()
    {
        manager = SecurityDelayManager.Instance;
        gate = new MyTestLoginGate();
        manager.SetGate(gate);
    }

    [TearDown]
    public void TestTearDown()
    {
        manager.ResetAttempts();
    }

    [Test]
    public void Test_SingleFailedAttemptCheck()
    {
        var attempt = gate.CreateLoginAttempt(false, "user1");
        Assert.IsNotNull(attempt);

        manager.Check(gate, attempt);
        Assert.AreEqual(1, gate.AttemptsCount);
    }

    [Test]
    public void Test_AttemptExpiration()
    {
        var attempt = gate.CreateLoginAttempt(false, "user1");
        Assert.IsNotNull(attempt);

        manager.Check(gate, attempt);
        Assert.AreEqual(1, gate.AttemptsCount);
    }

    [Test]
    public void Test_SingleSuccessfulAttemptCheck()
    {
        var attempt = gate.CreateLoginAttempt(true, "user1");
        Assert.IsNotNull(attempt);

        manager.Check(gate, attempt);
        Assert.AreEqual(0, gate.AttemptsCount);
    }

    [Test]
    public void Test_ManyAttemptChecks()
    {
        for (int i = 0; i < 20; i++)
        {
            var attemptGood = gate.CreateLoginAttempt(true, "user1");
            manager.Check(gate, attemptGood);

            var attemptBaad = gate.CreateLoginAttempt(false, "user1");
            manager.Check(gate, attemptBaad);
        }

        Assert.AreEqual(20, gate.AttemptsCount);
    }

    [Test]
    public void Test_GateAccess()
    {
        Assert.AreEqual(gate, manager.GetGate<MyTestLoginGate>(), "GetGate should keep the same gate");
        Assert.AreEqual(gate, manager.GetGate(typeof(MyTestLoginGate)), "GetGate should keep the same gate");

        manager.SetGate<MyTestLoginGate>(null);

        var oldGate = gate;
        var newGate = manager.GetGate<MyTestLoginGate>();
        gate = newGate;

        Assert.AreNotEqual(oldGate, newGate, "After a reset, new gate should be created");

        manager.ResetAttempts();
        Test_ManyAttemptChecks();

        manager.SetGate(typeof(MyTestLoginGate), oldGate);

        manager.ResetAttempts();
        Test_ManyAttemptChecks();
    }
}


public class MyTestLoginGate : SecurityDelayManager.IGate
{
    #region Static
    static Guid myID = new Guid("81e19a1d-a8ec-4476-a187-5130361a9006");
    static TimeSpan myTF = TimeSpan.FromHours(24);

    class LoginAttempt : Attempt { }
    class PasswordResetAttempt : Attempt { }
    abstract class Attempt : SecurityDelayManager.IAttempt
    {
        public bool Successful { get; set; }
        public DateTime Time { get; set; }
        public String UserName { get; set; }

        public string SerializeForAuditLog()
        {
            return ToString();
        }
        public override string ToString()
        {
            return String.Format("Attempt {2} Successful:{0} @{1}", Successful, Time, GetType().Name);
        }
    }
    #endregion

    #region Test properties
    public int AttemptsCount { get; private set; }
    #endregion

    #region Implementation of SecurityDelayManager.IGate
    public Guid AccountID { get { return myID; } }
    public bool ConsiderSuccessfulAttemptsToo { get { return false; } }
    public TimeSpan SecurityTimeFrame { get { return myTF; } }

    public SecurityDelayManager.IAttempt CreateLoginAttempt(bool success, string userName)
    {
        return new LoginAttempt() { Successful = success, UserName = userName, Time = DateTime.Now };
    }
    public SecurityDelayManager.IAttempt CreatePasswordResetAttempt(bool success, string userName)
    {
        return new PasswordResetAttempt() { Successful = success, UserName = userName, Time = DateTime.Now };
    }

    public SecurityDelayManager.ActionResult Action(SecurityDelayManager.IAttempt attempt, int attemptsCount)
    {
        AttemptsCount = attemptsCount;

        return attemptsCount < 3
            ? SecurityDelayManager.ActionResult.NotDelayed
            : attemptsCount < 30
            ? SecurityDelayManager.ActionResult.Delayed
            : SecurityDelayManager.ActionResult.Emergency;
    }
    #endregion
}

Answer 2

I would place the delay on the server validation portion where it won't attempt to validate (come back automatically as false have a message saying the user has to wait so many seconds before making another attempt). another answer until so many seconds have passed. Doing the thread.sleep will prevent one browser from making another attempt, but it won't stop a distributed attack where someone has multiple programs trying to login as the user simultaneously.

Another possibility is that the time between attempts varies by how many attempts are made to login. So the second attempt they have a one second wait, the third is maybe 2, the third is 4 and so on. That way you don't have a legitimate user having to wait 15 seconds between login attempts because they mistyped their password incorrectly the first time.