- A Denial of Service attack (DoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives, and targets of a DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host that is connected to the Internet.
- A Distributed Denial of Service attack (DDoS attack) utilizes many compromised hosts to perpetrate the DoS.
- A Brute Force attack is an attempt to gain access by automated authentication attempts and it can lead to the authentication servers and/or the PCS/PPS becoming overloaded as they attempt to deal with the flood of requests.
Configure the following Lockout options to help mitigate PCS/PPS against DoS; DDoS and Brute Force password-guessing attacks from the same IP address:
- Rate: Specify the number of failed sign-in attempts to allow per minute.
- Attempts: Specify the maximum number of failed sign-in attempts to allow, before triggering the initial lockout. The system determines the maximum initial period of time (in minutes) to allow the failed sign-in attempts to occur by dividing the specified number of attempts by the rate.
For example, 180 attempts divided by a rate of 3 results in a initial period of 60 minutes. If 180 or more failed sign-in attempts occur within 60 minutes or less then the IP address being used is locked out.
- Lockout period: Specify the number of minutes that is required for the system to lock out the IP address.
Perform the following procedure to modify the global setting for user login failure lockout rate, login attempts, and lockout period:
- Logon to PCS/PPS as an administrator
- Go to Configuration > Security > Miscellaneous > Lockout options to set the Rate, Attempts, and Lockout period
- Note: The lockout options settings determines how failed sign-in attempts are handled. When the number of allowed attempts is exceeded, the IP address that is used for signing-in (not the failed user accounts) will be temporarily locked to prevent automated sign-in attacks.
- Make the necessary changes as required and click Save Changes.
The system quickly reacts to an attack that persists and then gradually becomes less restrictive, when the attack subsides. After a lockout occurs it gradually recovers by maintaining the Rate. If the current failure rate, since the last lockout, exceeds the specified Rate, the system locks out the IP address again.
If the failure rate is less than the specified Rate for the period of Attempts/Rate, the system returns to the initial monitoring state.
For example, if you use the following settings for the Lockout options it locks out the IP address for the time periods, as per the following scenario:
- Rate = 3 failed sign-in attempts/minute
- Attempts = 180 maximum allowed in initial period of 60 minutes (180/3)
- Lockout period = 2 minutes
The process is as follows:
- During a period of three minutes, 180 failed sign-in attempts occur from the same IP address. As the specified value for Attempts occurs in less than the allowed initial period of 60 minutes (180/3), the Secure Access Service locks out the IP address for 2 minutes (4th and 5th minutes).
- In the 6th minute, the Secure Access Service removes the lock on the IP address and begins to maintain the rate of 3 failed sign-in attempts/minute. In the 6th and 7th minutes, the number of failed sign-in attempts is 2 per minute; so the system does not lock the IP address.
However, when the number of failed sign-in attempts increases to 5 in the 8th minute, which is a total of 9 failed sign-in attempts within 3 minutes, it locks out the IP address for 2 minutes again (9th and 10th minutes).
- In the 11th minute, it removes the lock on the IP address and begins to maintain the rate of 3 failed sign-in attempts/minute again. When the rate remains below an average of 3/minute for 60 minutes, it returns to its initial monitoring state.
Beware for environments in which two or more users share the same IP address (as seen by PCS/PPS), the lockout feature prevents all users from logging in from the shared IP address even when only one of them is the offending user. A common scenario is when a load balancer; NAT device or a proxy is used and their IP address is the source IP address for the connection to the PCS/PPS device. By increasing the Rate to near the Maximum Attempts value, there will be less chance of certain users incorrectly entering their credentials (most specially using the single source IP), which will lock the IP address. For example:
- Rate: 90
- Max: 180
- Duration: 2
As per the above example, it will take 180 failed login attempts within 2 minutes to lock the IP address.Note:
Local lockout at the Realm level denies or allows specific IP addresses and does not have a separate configurable timer.