Impact on server load caused by brute-force attacks

May 11, 2021
Darko G.

I have examined the load reduction performance against brute-force attacks by using IP Location Block. I report the result in this article.

A shell program

The attack.sh is a shell program that measures the load of malicious burst accesses to WordPress back-end such as wp-comments-post.php, xmlrpc.php, wp-login.php, wp-admin/admin-ajax.php using ApacheBench.

 

It gives an emulation of spam comment, pingback spam, login attempt, and malicious access to the admin-ajax with 5 multiple requests at a time
throughout 60 seconds.

Test environment

I set up the testbed in my local PC which specifications are followings:

Category Description
Hardware MacBook Pro / 2.8GHz Core i7 / Memory 16GB
Software OS X 10.9.5 / MAMP 2.0 (Apache 0.2.2.22, PHP 5.4.4)
WordPress 4.3 / Site Language: English

And here are the plugins installed in the above environments:

Plugins

Speaking generally, it is better to separate the hardware on each side of requesting and responding because those have an influence on each other. But unfortunately, I don’t have any such rich environments. So please take it into consideration when you see the results.

Plugins configuration

Wordfence has a lot of options. So I leave them just after installation.

On the other hand, options for IP Location Block 0.2.1.5 are changed as follows:

Validation target settings

The results

At the beginning of each test, the DB was optimized using Optimize Database after Deleting Revisions.

I picked up only “Requests per second”, “Time per request (across all concurrent requests)” from the results of ApacheBench which indicate the performance of load reduction. The higher in “Requests/sec” and the lower in “Time/req [ms]” are better.

The “IGB” means “IP Location Block”, “WFS” means “Wordfence Security”. And “ON” indicates “Activate” and “OFF” indicates “Deactivate”.

wp-comments-post.php

IGB WFS Requests/sec Time/req [ms]
OFF OFF 4.54 220.073
OFF ON 4.02 248.843
ON ON 5.98 167.262
ON OFF 6.33 157.940

xmlrpc.php

IGB WFS Requests/sec Time/req [ms]
OFF OFF 6.13 163.065
OFF ON 5.49 182.308
ON ON 5.33 187.570
ON OFF 5.81 172.120

wp-login.php

IGB WFS Requests/sec Time/req [ms]
OFF OFF 6.43 155.479
OFF ON 4.97 201.078
ON ON 5.98 167.145
ON OFF 6.23 160.487

When both “IGB” and “WFS” are “ON”, I got the following email:

A user with IP address WWW.XXX.YYY.ZZZ has been locked out from the signing
in or using the password recovery form for the following reason: Exceeded
the maximum number of login failures which is: 20. The last username they
tried to sign in with was: ‘admin’

where “WWW.XXX.YYY.ZZZ” is an IP address which is set by attack.sh. And there are no validation logs in IP Location Block. It means that the execution priority of Wordfence is higher than IP Location Block.

wp-admin/admin-ajax.php

IGB WFS Requests/sec Time/req [ms]
OFF OFF 5.51 181.351
OFF ON 5.00 200.071
ON ON 5.53 180.822
ON OFF 6.03 165.840

Conclusion

Speaking about the site performance, more plugins leads to less speed. The results show that the performance of load reduction by IP Location Block against brute-force attacks is not so outstanding, but I think it minimizes a rise of the load.
emoji

UPDATED:
The result in this article was base on 0.2.1.5. When it comes to 0.2.2.2, the performance had been improved by 25% at the maximum.

Leave a Reply

Your email address will not be published.

© 2022 - IP Location Block by IDEOLOGIX Media