Login Rate Limiting deprecated
The Open-Xchange Middleware offers two rate limiting possibilities. Both act the same way:
- The token bucket algorithm is used
- Before every login attempt, check if login attempt is already rate limited (all tokens/permits exhausted)
- On every failed login attempt due to invalid credentials, decrease the number of possible further attempts (redeem a token/permit) in the defined time frame.
- Once a successful login is performed, rate limit boundaries are dropped
Moreover, both come with the same implications:
- Rate-limit is per Middleware node, i.e. the total number of possible attempts is the number per node times the number of nodes.
- This doesn't really solve a brute-force case where e.g. a large pool of source IP addresses and User-Agents iterates over a pool of user names
They only differ on how the associations take place. One executes the rate limiting of failed login attempts by attributes/characterirstics of HTTP protocol (like value of the User-Agent header and Internet Protocol (IP) address of the client or last proxy that sent the request). A client that exceeds that limit will receive a
"429 Too Many Requests" HTTP error code.
The other one is solely based on the unique user name provided by login. A client that exceeds that limit will receive the
"LGI-0027" HTTP-API error code
Rate Limiting by HTTP attributes/characterirstics
Available with v7.8.0.
com.openexchange.ajax.login.maxRateSpecifies the maximum number of permits that applies to incoming HTTP login requests. Default value is
com.openexchange.ajax.login.maxRateTimeWindowSpecifies the rate limit's time window in which to track incoming HTTP login requests. Default value is
Rate Limiting by login user name
Available with v7.10.1.
com.openexchange.ajax.login.rateLimitByLogin.enabledIf set to
truea rate limiter based on user names for login is enabled. Default is
com.openexchange.ajax.login.rateLimitByLogin.permitsSpecifies the number of available permits for the rate limiter based on user names for login. Default value is
com.openexchange.ajax.login.rateLimitByLogin.timeFrameInSecondsSpecifies the time frame in seconds for the rate limiter based on user names for login. Default value is