Resolve "Rate Limits" (!5) · Merge requests · uffd / uffd

Julian requested to merge rate-limits into master Oct 28, 2020

Ratelimits are implemented by storing events (e.g. failed logins) with Ratelimit.log() in the sqlite database. Ratelimit.get_delay() is then used to check if a request is allowed or not. The delays grow exponentionally until the stored events expire in a sliding-window fashion. Old events are deleted whenever Ratelimit.get_delay() is called.

Host-based limits use /24 subnet for IPv4 and /48 subnet for IPv6 instead of the full address as the key.

Distribution of optimal requests (relative delays in seconds):

host (25 login/pwreset attempts per hour):
00:00:00 0s
00:00:00 0s
00:00:00 0s
00:00:00 0s
00:00:00 6s
00:00:06 2s
00:00:08 2s
00:00:10 4s
00:00:14 6s
00:00:20 7s
00:00:27 10s
00:00:37 14s
00:00:51 20s
00:01:11 28s
00:01:39 38s
00:02:17 52s
00:03:09 73s
00:04:22 102s
00:06:04 141s
00:08:25 195s
00:11:40 272s
00:16:12 376s
00:22:28 522s
00:31:10 725s
00:43:15 1005s
01:00:00 0s
...

login, mfa (3 attempts per minute):
00:00:00 0s
00:00:00 16s
00:00:16 44s
00:01:00 0s
...

reset (3 attempts per hour):
00:00:00 16s
00:00:16 219s
00:03:55 3365s
01:00:00 16s
...

Closes #10 (closed)

Edited Nov 03, 2020 by Julian

Resolve "Rate Limits"

Merge request reports