View previous topic :: View next topic |
Author |
Message |
soloman817
Joined: 26 Sep 2012 Posts: 17
|
Posted: Tue Oct 09, 2012 6:05 am Post subject: is there a freq limit for IsAuthenticated call? |
|
|
Hi,
In order to support license transfer, I just added a background thread to do authenticate status check, following this post: http://www.infralution.com/phpBB2/viewtopic.php?t=2328
To test, I set the interval of the background thread to be 3 seconds. But strange thing is, after nearly 9 status checking, it report not authenticated:
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
The license is no longer authenticated.
I know in the FAQ code, the interval is 5 minutes, so does it means there is an request frequnce checking in auth server? if true, what is that frequence? I need to be confirmed so that to make sure this method will not act in wrong behavior.
Regards,
Xiang. |
|
Back to top |
|
|
soloman817
Joined: 26 Sep 2012 Posts: 17
|
Posted: Tue Oct 09, 2012 6:11 am Post subject: |
|
|
PS, because I'm protecting a library, not application, so I set the thread to be background:
Code: | if (_license != null)
{
Thread thread = new Thread(new ThreadStart(CheckLicenseThread));
thread.IsBackground = true;
thread.Start();
}
|
Will this be a problem? |
|
Back to top |
|
|
Infralution
Joined: 28 Feb 2005 Posts: 5027
|
Posted: Tue Oct 09, 2012 9:36 pm Post subject: |
|
|
Yes there is some code in the Authentication Service to help protect against Denial of Service (DoS) attacks where an attack floods your website with repeated requests. You can find the settings which control this in the Authentication Service Web.Config.
- CheckCallerIP - if true DoS protection is used
- MaxCallsPerIPAddress - the number of calls allowed from a given IP address within a set period of time
- IPAddressResetPeriod - the number of seconds before the time period resets
_________________ Infralution Support |
|
Back to top |
|
|
soloman817
Joined: 26 Sep 2012 Posts: 17
|
Posted: Wed Oct 10, 2012 12:27 am Post subject: |
|
|
Thanks for point out where it is. I checked the local auth server (in program files), it is there in the Web.Config.
But when checking my live website, seems it is encrypted...
there are 3 child node of <configuration>:
1) appSettings and configProtectionProvider is set to rsa
2) connectionStrings and configProtectionProvider is set to rsa
3) system.web
so, uhmm, guess I need Install it again and not encrypt config to see what it is.
BTW, if later, we can see these settings from Tracker, that would be better. |
|
Back to top |
|
|
Infralution
Joined: 28 Feb 2005 Posts: 5027
|
Posted: Wed Oct 10, 2012 1:06 am Post subject: |
|
|
Yes you are right. You would need to run the Install.aspx page and not encrypt the configuration. Then you could change the settings if you want and run the Install again to encrypt them. The reason they are in the Web.Config is that you are unlikely to need to change them. _________________ Infralution Support |
|
Back to top |
|
|
soloman817
Joined: 26 Sep 2012 Posts: 17
|
Posted: Thu Nov 22, 2012 2:46 am Post subject: |
|
|
I now code a license online verify policy. Now if I started many application, which each one will start a background thread to verify license online periodly. And I controlled it to not send too frequently from same machine.
Question 1:
If I have a license which maxAuth=100, say a big number, then say 100 machines started, and they all send online verification request, will this be considered as DOS attack? what I mean, is , does the DOS protection of auth server use license + IP address to protect DOS?
Question 2:
If I sell 100 license, each one has maxAuth=1, but there are 100 machines used that 100 licenses, and in same company, behind a firewall, so it will use NAT, so the IP address will be same, will this be considered DOS attack? so again, the core question is, does the auth server use license + IP address to protect DOS? |
|
Back to top |
|
|
Infralution
Joined: 28 Feb 2005 Posts: 5027
|
Posted: Thu Nov 22, 2012 3:09 am Post subject: |
|
|
In both cases these might trigger the DOS protection. It is purely based on IP address and time period. If these are likely scenarios for you then you may want to change DOS parameters in the confige file. _________________ Infralution Support |
|
Back to top |
|
|
soloman817
Joined: 26 Sep 2012 Posts: 17
|
Posted: Thu Nov 22, 2012 6:01 am Post subject: |
|
|
Thanks, I will then check the policy. |
|
Back to top |
|
|
|