Hello, Yesterday we experienced an odd problem on our CAS servers (cluster of 2). The throttle protection triggered and started to block 100% of requests, even legitimates and non-abusive ones:
../.. 2019-09-05 15:18:12,151 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [A]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]> 2019-09-05 15:18:12,652 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [B]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]> 2019-09-05 15:18:13,151 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [C]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]> 2019-09-05 15:18:13,651 WARN [org.apereo.cas.web.support.AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [D]. More than [100] failed login attempts within [60] seconds. Authentication attempt exceeds the failure threshold [100]> ../.. Throttle triggers at 100 failed attempts in 60 seconds, but according to documentation it should only block the offender IP address, not every single IP address like it did yesterday. We are running CAS with Undertow instead of Tomcat, behind a local Apache server and we have configured MFA (but no one is currently using it). Auth backend is LDAP. Throttling was set to: # Throttling ############ # cas.authn.throttle.usernameParameter=username cas.authn.throttle.schedule.startDelay=PT10S cas.authn.throttle.schedule.repeatInterval=PT20S cas.authn.throttle.app-code=CAS cas.authn.throttle.failure.threshold=100 cas.authn.throttle.failure.code=AUTHENTICATION_FAILED cas.authn.throttle.failure.rangeSeconds=60 Changing cas.authn.throttle.failure.threshold from 100 to 1000 yielded to the same result: instant block for any IP address. We have disabled throttling for now, but we would be happy to have a properly working throttling configuration! Any help appreciated. Patrick PRONIEWSKI -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8BFA9F37-35DC-4872-AE3B-712339D9F83A%40univ-lyon2.fr.
