PHP: Anti-Flood/Spam system

Question

I'm actually working on a PHP project that will feature a user system (Login,Register,Send lost password to email,..) and I think that this may be very vulnerable to Brute-Force attacks and/or Spam (Send a password to someone's email like 1000 times, etc. use your fantasy) .

• Do today's webservers (Apache, IIS) have some sort of built-in defense against Brute-Force?

• What would be the best way to implement an Anti-Spam/Flood system, if I e.g.: want a page not be able to be called more than two times a minute, however another page may be called up to 100 times a minute or so.

  • I would definitely have to store IP adresses, the time when they last visited a page and the number of visits somewhere - but would it be efficient enough storing it in a text-file/database (MySQL)

  • Should I use captchas for things like registering/recovering lost passwords?

  • Are "text" captchas viable? (Something like "What is 5 plus 9 minus 2? ")

  • The page won't be used by that many users (100-200), do I actually have to implement all these things?

Answer 1

Regarding CAPTCHAs: I would recommend against using CAPTCHAs unless you really need it. Why?

1. it's ugly.
2. it's annoying for your users. You shouldn't make them jump through hoops to use your site.

There are some alternatives which are very simple, can be very effective and are entirely transparent to _{(almost all)} users.

1. Honeypot fields: add a field to your forms with a common name like "website". Beside it, add a label saying something to the effect of "don't write in this box". Using Javascript hide the input and label. When you receive a form submission, if there's anything in the field, reject the input.

   Users with JS won't see it and will be fine. Users without JS will just have to follow the simple instruction. Spambots will fall for it and reveal themselves.

2. Automatic faux-CAPTCHA: This is similar to the above. Add an input field with a label saying "Write 'Alex'" (for example). Using Javascript (and knowing that most automated spam bots won't be running JS), hide the field and populate it with 'Alex'. If the submitted form doesn't have the magic word there, then ignore it.

   Users with JS won't see it and will be fine. Users without JS will just have to follow the simple instruction. Spambots won't know what to do and you can ignore their input.

This will safeguard you from 99.9% of automated spam bots. What it won't do, even in the slightest, is safeguard you against a targeted attack. Someone could customise their bot to avoid the honeypot or always fill in the correct value.

---

Regarding Brute Force blocking: A server-side solution is the only viable way to do this obviously. For one of my current projects, I implemented a brute force protection system very similar to what you describe. It was based on this Brute Force Protection plugin for CakePHP.

The algorithm is fairly simple, but a little confusing initially.

1. User requests some action (reset password, for example)
2. Run: DELETE * FROM brute_force WHERE expires < NOW()

3. Run:

   SELECT COUNT(*) FROM brute_force 
   WHERE action = 'passwordReset'
   AND ip = <their ip address>
   

4. If the count is greater than X then tell them to wait a while.

5. Otherwise, run:

   INSERT INTO brute_force (ip, action, expires)
   VALUES (<their ip address>, 'passwordReset', NOW() + Y minutes)
   

6. Continue with the reset password function.

This will allow users to only try resetting a password X times in Y minutes. Tweak these values as you see fit. Perhaps 3 resets in 5 minutes? Additionally, you could have different values for each action: for some things (eg: generate a PDF), you might want to restrict it to 10 in 10 minutes.