Distributed Denial of Service Attacks
A distributed denial of service (DDOS) attack is an attempt to shut down a server by repeatedly logging on with a known valid user ID and incorrect password. By default, the AuthFilter does not associate each password cache entry with one, and only one, client session. When a user logs on with a valid user ID, the password cache is updated with the submitted password. A malicious user can use this technique to disrupt service. The malicious user does not gain entry to the site, but forces a registered user that is active when the password is changed, to login again.
To avoid the attack, the AuthFilter can store an additional property in the cache besides the user ID and password. This property is generally a globally unique identifier (GUID) and is used to distinguish between different client sessions using the same user ID and possibly different passwords.
On the login page, the GUID is placed on the ticket of the user as a custom property, guid, by the SetProperty method of the AuthManager object. Additionally, the property is appended to the query string for the redirected URL.
Once set, the AuthFilter uses the guid property to access the password cache instead of the user ID. When a user logs on with the same user ID but with a different password, the AuthFilter identifies this as a different user and a new entry is made in the password cache instead of overwriting the original password. The AuthFilter then follows the same steps as for a new user. For a code example showing this process, seeĀ Code to Set a Custom Property on a Ticket.