Feature #75987

Implement request throttling/ rate limiting functionality and API

Added by Helmut Hummel over 3 years ago. Updated 10 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2016-04-29
Due date:
% Done:

0%

PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Our current brute force protection is non existent:

There are cases where specific functionality should be throttled, example: A user shouldn't hammer with 20 comments / second.

Task: Evaluate existing solutions (e.g. https://github.com/websoftwares/Throttle) and / or implement
a general throttling mechanism and provide API for extensions


Related issues

Related to TYPO3 Core - Feature #21661: Secure the BE login - Blacklist ips Closed 2009-11-24
Related to TYPO3 Core - Bug #21658: Secure the BE login - Auto disable the be user after a certain amount of login failure. Closed 2009-11-24
Related to TYPO3 Core - Feature #19987: Security: Backend user should be disabled after x failed log in (and the appropriate option is set in the install tool) Closed 2009-02-09

History

#1 Updated by Christian Kuhn over 3 years ago

  • Tracker changed from Bug to Feature
  • Project changed from Core Security to TYPO3 Core
  • Description updated (diff)

#2 Updated by Helmut Hummel over 3 years ago

Some usecases:

  • Throttle failed backend logins
  • Throttle the amount of contact forms sent
  • Throttle the amount of comments sent

So basically
Throttle <condition> <action>

We need an API for conditions and resulting actions when condition is matched

#3 Updated by Helmut Hummel over 3 years ago

  • Category set to Security

#4 Updated by Simon Schaufelberger 10 months ago

My TYPO3 website was just attacked by a bot with 1000s of requests which killed my db with an exception like: Connection failed with: "An exception occured in driver: Too many connections" | TYPO3\CMS\Core\Error\Http\ServiceUnavailableException thrown in file /vendor/typo3/cms/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php in line 932

I'm also using laravel for some projects and they have it implemented in the core with a middleware: https://github.com/illuminate/routing/blob/master/Middleware/ThrottleRequests.php

Also available in: Atom PDF