CAS 6.0.3 : problem with throttle
249 views
Skip to first unread message
Patrick Proniewski
Sep 6, 2019, 2:51:13 AM9/6/19
to cas-...@apereo.org
Hello,
Yesterday we experienced an odd problem on our CAS servers (cluster of 2). The throttle protection triggered and started to block 100% of requests, even legitimates and non-abusive ones:
../..
2019-09-05 15:18:12,151 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [A]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]>
2019-09-05 15:18:12,652 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [B]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]>
2019-09-05 15:18:13,151 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [C]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]>
2019-09-05 15:18:13,651 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [D]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]>
../..
Throttle triggers at 100 failed attempts in 60 seconds, but according to documentation it should only block the offender IP address, not every single IP address like it did yesterday.
We are running CAS with Undertow instead of Tomcat, behind a local Apache server and we have configured MFA (but no one is currently using it).
Auth backend is LDAP.
Throttling was set to:
# Throttling
############
#
cas.authn.throttle.usernameParameter=username
cas.authn.throttle.schedule.startDelay=PT10S
cas.authn.throttle.schedule.repeatInterval=PT20S
cas.authn.throttle.app-code=CAS
cas.authn.throttle.failure.threshold=100
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.rangeSeconds=60
Changing cas.authn.throttle.failure.threshold from 100 to 1000 yielded to the same result: instant block for any IP address.
We have disabled throttling for now, but we would be happy to have a properly working throttling configuration!
Any help appreciated.
Patrick PRONIEWSKI
Yesterday we experienced an odd problem on our CAS servers (cluster of 2). The throttle protection triggered and started to block 100% of requests, even legitimates and non-abusive ones:
../..
2019-09-05 15:18:12,151 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [A]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]>
2019-09-05 15:18:12,652 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [B]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]>
2019-09-05 15:18:13,151 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [C]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]>
2019-09-05 15:18:13,651 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [D]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]>
../..
Throttle triggers at 100 failed attempts in 60 seconds, but according to documentation it should only block the offender IP address, not every single IP address like it did yesterday.
We are running CAS with Undertow instead of Tomcat, behind a local Apache server and we have configured MFA (but no one is currently using it).
Auth backend is LDAP.
Throttling was set to:
# Throttling
############
#
cas.authn.throttle.usernameParameter=username
cas.authn.throttle.schedule.startDelay=PT10S
cas.authn.throttle.schedule.repeatInterval=PT20S
cas.authn.throttle.app-code=CAS
cas.authn.throttle.failure.threshold=100
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.rangeSeconds=60
Changing cas.authn.throttle.failure.threshold from 100 to 1000 yielded to the same result: instant block for any IP address.
We have disabled throttling for now, but we would be happy to have a properly working throttling configuration!
Any help appreciated.
Patrick PRONIEWSKI
Reply all
Reply to author
Forward
0 new messages