Feature #75987

Implement request throttling/ rate limiting functionality and API

Added by Helmut Hummel about 5 years ago. Updated over 2 years ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2016-04-29
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Our current brute force protection is non existent:

There are cases where specific functionality should be throttled, example: A user shouldn't hammer with 20 comments / second.

Task: Evaluate existing solutions (e.g. https://github.com/websoftwares/Throttle) and / or implement
a general throttling mechanism and provide API for extensions


Related issues

Related to TYPO3 Core - Feature #21661: Secure the BE login - Blacklist ipsClosed2009-11-24

Actions
Related to TYPO3 Core - Bug #21658: Secure the BE login - Auto disable the be user after a certain amount of login failure.Closed2009-11-24

Actions
Related to TYPO3 Core - Feature #19987: Security: Backend user should be disabled after x failed log in (and the appropriate option is set in the install tool)Closed2009-02-09

Actions
#1

Updated by Christian Kuhn almost 5 years ago

  • Tracker changed from Bug to Feature
  • Project changed from 1716 to TYPO3 Core
  • Description updated (diff)
#2

Updated by Helmut Hummel almost 5 years ago

Some usecases:

  • Throttle failed backend logins
  • Throttle the amount of contact forms sent
  • Throttle the amount of comments sent

So basically
Throttle <condition> <action>

We need an API for conditions and resulting actions when condition is matched

#3

Updated by Helmut Hummel almost 5 years ago

  • Category set to Security
#4

Updated by Simon Schaufelberger over 2 years ago

My TYPO3 website was just attacked by a bot with 1000s of requests which killed my db with an exception like: Connection failed with: "An exception occured in driver: Too many connections" | TYPO3\CMS\Core\Error\Http\ServiceUnavailableException thrown in file /vendor/typo3/cms/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php in line 932

I'm also using laravel for some projects and they have it implemented in the core with a middleware: https://github.com/illuminate/routing/blob/master/Middleware/ThrottleRequests.php

Also available in: Atom PDF