Sleeping a thread in ASP.NET?

[cmay]

Can someone give me some guidance on this?

I am implementing a system where if a user fails the login, I am doing
a thread.sleep(random number).

If I returned the page right away, you could write a script to try many
username/password combos per second. Using this, it will slow down the
person by making them wait at least a few seconds for a bad
username/password.

I am also implementing some other features like a CAPTCHA image and
other stuff I won't bother listing. But what I am wondering is what
impact this will have on the performance of my application.

For the X seconds that the thread is sleeping, it won't be able to
process incoming requests. Is there a chance that other requests will
have been queued up for this thread and will basically be blocked by
the sleep command?

 

[Steve C. Orr [MVP, MCSD]]

Yes, this could cause blocking problems (since there are a limited number of
threads) so I wouldn't recommend it.
It also wouldn't achieve your goal since incoming requests are processed by
different threads.

I'd suggest a more conventional approach such as locking the account
(temporarily?) if too many invalid login attempts are made.

 

[cmay]

Steve,

So I guess if the hacker was spawing a bunch of threads you are right,
that it would be the same if they have 1 process hitting the login page
10 times / second, or 100 threads hitting the page 1 / 10 seconds, it
would still be 10 hits / second on avg.

Thanks for the advice!

 

[John Timney \(ASP.NET MVP\)]

It will likely cause threading problems for you, the worker process only has
so many threads to use at any time and your effectively locking them up.

try instead ending the session and adding the IP to a list of locked IP's .
In session start check if the IP of the requester is in the list and if it
is then reject the request. You could try sending a response.redirect to
the browser on a failed attempt to delay the requester even further.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

 

[Mike Labosh]

So I guess if the hacker was spawing a bunch of threads you are right,

that it would be the same if they have 1 process hitting the login page
10 times / second, or 100 threads hitting the page 1 / 10 seconds, it
would still be 10 hits / second on avg.

Here's an example your application could emulate, from the Windows NT / 2000
/ XP / 2003 Group Policy Editor:

# of invalid logon attempts before disabling the user account: 3

So I, as the malicious user, try this:

Username: MLabosh
Password: 123

[fails on invalid password]

Username: MLabosh
Password: 456

[fails on invalid password]

Username: MLabosh
Password: 789

[fails on invalid password]
[account locked out]

Username: MLabosh
Password: WXJ45_*b; [correct password]

[Access denied: Too many invalid logon attempts]


--
Peace & happy computing,

Mike Labosh, MCSD

"Mr. McKittrick, after very careful consideration, I have
come to the conclusion that this new system SUCKS."
-- General Barringer, "War Games"