Hey guys,
We ran into an issue recently where a customer didn’t have a great understanding of the
OAuth2 authorization process and was submitting many direct grant login requests per
second. They were successfully authenticating each time, so the brute force protection
features don’t apply. It basically ended up being a DOS issue. We also ended up having OOM
issues when trying to query the events for this customer during a scheduled job that we
use to build reports on login events. We’re still running 1.8.2 at the moment, so I’m
wondering if you guys have implemented any kind of rate limiting / DOS prevention that
could have prevented this in one of the later releases? If not, I'm proposing that it
might be worth considering, I could try to contribute something if you like. What do you
guys think?
Thanks,
Cory Snyder