Infralution Support

[soloman817]

Hi,

In order to support license transfer, I just added a background thread to do authenticate status check, following this post: http://www.infralution.com/phpBB2/viewtopic.php?t=2328

To test, I set the interval of the background thread to be 3 seconds. But strange thing is, after nearly 9 status checking, it report not authenticated:

[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
License is authenticated.
[|0.5; 1.5; 2.5; 3.5; 4.5; 5.5; 6.5; 7.5; 8.5; 9.5|]
The license is no longer authenticated.

I know in the FAQ code, the interval is 5 minutes, so does it means there is an request frequnce checking in auth server? if true, what is that frequence? I need to be confirmed so that to make sure this method will not act in wrong behavior.

Regards,
Xiang.

[soloman817]

PS, because I'm protecting a library, not application, so I set the thread to be background:

[Infralution]

Yes there is some code in the Authentication Service to help protect against Denial of Service (DoS) attacks where an attack floods your website with repeated requests. You can find the settings which control this in the Authentication Service Web.Config.

• CheckCallerIP - if true DoS protection is used
  
• MaxCallsPerIPAddress - the number of calls allowed from a given IP address within a set period of time
  
• IPAddressResetPeriod - the number of seconds before the time period resets

_________________
Infralution Support

[soloman817]

Thanks for point out where it is. I checked the local auth server (in program files), it is there in the Web.Config.

But when checking my live website, seems it is encrypted...

there are 3 child node of <configuration>:
1) appSettings and configProtectionProvider is set to rsa
2) connectionStrings and configProtectionProvider is set to rsa
3) system.web

so, uhmm, guess I need Install it again and not encrypt config to see what it is.

BTW, if later, we can see these settings from Tracker, that would be better.

[Infralution]

Yes you are right. You would need to run the Install.aspx page and not encrypt the configuration. Then you could change the settings if you want and run the Install again to encrypt them. The reason they are in the Web.Config is that you are unlikely to need to change them.
_________________
Infralution Support

[soloman817]

I now code a license online verify policy. Now if I started many application, which each one will start a background thread to verify license online periodly. And I controlled it to not send too frequently from same machine.

Question 1:
If I have a license which maxAuth=100, say a big number, then say 100 machines started, and they all send online verification request, will this be considered as DOS attack? what I mean, is , does the DOS protection of auth server use license + IP address to protect DOS?

Question 2:
If I sell 100 license, each one has maxAuth=1, but there are 100 machines used that 100 licenses, and in same company, behind a firewall, so it will use NAT, so the IP address will be same, will this be considered DOS attack? so again, the core question is, does the auth server use license + IP address to protect DOS?

[Infralution]

In both cases these might trigger the DOS protection. It is purely based on IP address and time period. If these are likely scenarios for you then you may want to change DOS parameters in the confige file.
_________________
Infralution Support

[soloman817]

Thanks, I will then check the policy.