Authentication Throttling - second attempt always triggers 'access denied'

[Justin Andrews]

Hi folks - trying again here... There seems to be the 'right kind' of settings needed to get authentication throttling to work. I have currently defined it as 3 failures within 15 seconds.

cas.authn.throttle.usernameParameter=

cas.authn.throttle.schedule.startDelay=10000

cas.authn.throttle.schedule.repeatInterval=20000

cas.authn.throttle.appcode=CAS

cas.authn.throttle.failure.threshold=3

cas.authn.throttle.failure.code=AUTHENTICATION_FAILED

cas.authn.throttle.failure.rangeSeconds=15

The problem is, after the second failed attempt within 6 seconds I get the 'access denied' message even though I hadn't even tried 3 times. In the logs it will report back that 3 failures had occurred. But that is not true. Now, CAS is behind a load balancer, but the IP address of the client is being preserved.

If I change the values to be 5 failures within 5 seconds, the second attempt issue doesn't exist, and basically I can't trigger the throttling message to appear.

If I add more time to the setting and make it 3 failures within 60 seconds, the same issue, the second failure will trigger 'access denied'. This is a test CAS server with nobody else using it so even if it was a load balancer issue only I am using/testing it at present. It's just strange to me.

I was able to stop the second attempt issue by setting it to 10 failures within 60 seconds, but those settings are pointless for us. However, when tested after 10 equally spaced failure attempts within 60 seconds - it did successfully trigger the message.

2018-01-24 12:38:06,193 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [client-ip-here]. More than [3] failed login attempts within [15] seconds. Authentication attempt exceeds the failure threshold [3]>

[Ray Bon]

Justin,

Those throttle settings get reduced to a common denominator. When you set 3 failures within 15 seconds, it is converted to 1 in 5 seconds. So your second attempt in 6 seconds may be a rounding error (i.e., CAS recorded it as 5 seconds (you could check the logs)) or it is 2 failures within 10 seconds, however you want to look at it.

I think this approach to throttling is to thwart machine rather than human login attempts.

In CAS 3.5 we responded to an error code sent back from LDAP (we pushed throttle settings into LDAP). I have not yet ported that to 5.x but it is in the backlog.

How long does it take a user to re-enter a password and press enter? You can do it in less than 5 seconds. Try 1 failure in 4 seconds then maybe 3 seconds.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca