DOS attacks | WordPress.org

Resolved frisco
(@frisco)

10 years, 11 months ago

You cover DOS attacks in the FAQ, but we’re seeing more and more brute force attacks that become de facto DOS attacks. Since PHP is a single process per request language, each request locks the process for the duration of the script execution. Let’s say a server has resources to handle 6 PHP processes. If those go to sleep because of LSS, there’s no process for a legitimate visitor. The brute force attacker can throw enough requests in the queue that it’s easy to trigger a timeout. We’re now seeing this type of attack at least 1x per week.

I think the code and support of LSS is great, but we’ve had to recently deactivate it because creating many sleeping processes ends up being worse than the problem of brute force attacks. Do you have any suggestions for working around the problem we’re experiencing or is the scale/nature of the attacks we’re seeing unusual? We’d love to use LSS, but we can’t keep making more PHP processes to keep up with the bad guys.

http://wordpress.org/extend/plugins/login-security-solution/

Viewing 1 replies (of 1 total)

Plugin Author Daniel Convissor
(@convissor)

10 years, 11 months ago

Hi Frisco:

You’re right. Login Security Solution doesn’t handle DDOS attacks and can be used as a vector to implement such attacks.

Naturally, someone determined to DDOS a site will do it regardless of how many processes the server can run. The appropriate tools and procedures for dealing with them involve the server and networking layers.

–Dan

Viewing 1 replies (of 1 total)

The topic ‘DOS attacks’ is closed to new replies.

In: Plugins
1 reply
2 participants
Last reply from: Daniel Convissor
Last activity: 10 years, 11 months ago
Status: resolved