You cover DOS attacks in the FAQ, but we're seeing more and more brute force attacks that become de facto DOS attacks. Since PHP is a single process per request language, each request locks the process for the duration of the script execution. Let's say a server has resources to handle 6 PHP processes. If those go to sleep because of LSS, there's no process for a legitimate visitor. The brute force attacker can throw enough requests in the queue that it's easy to trigger a timeout. We're now seeing this type of attack at least 1x per week.
I think the code and support of LSS is great, but we've had to recently deactivate it because creating many sleeping processes ends up being worse than the problem of brute force attacks. Do you have any suggestions for working around the problem we're experiencing or is the scale/nature of the attacks we're seeing unusual? We'd love to use LSS, but we can't keep making more PHP processes to keep up with the bad guys.