Throttling is a new security setting available in NATS 4.1, which allows you to lock out surfers for a specified period of time if they make too many attempts on certain pages in NATS. This can help prevent authorization strings for transactions from being entered through brute force, so surfers won't be able to perform transactions without paying for them and being redirected through correct auth strings.
Once a surfers reaches the maximum amount of attempts that you set on any of the available pages here, they will be redirected to a template which you can customize to display whatever message you want.
Setting Up Throttling
The NATS Throttling settings can be found in the "Security Configuration" page in the Configuration Admin. To begin configuring your settings, navigate to the Configuration Admin, and choose "Security" from the Current Section drop-down menu at the top of the page.
You'll find a variety of settings in the "Throttling" section on this page. NATS 4.1 allows you to apply these settings to six pages -- approved.php (initial member approval), upgradeplus.php (instant upgrades), upgraded.php (member upgraded), upsellplus.php (upsells), packageplus.php (package upgrades), tokenplus.php (token rebuys), cancelplus.php (member cancellations), verifyplus.php (member verification agaisnt 3rd party systems like ATVOD), signupplus.php (member re-activations), signup_validation.php (AJAX validation of the join forms), password.php (member forgot password page), PATCH /member/forget API function and login.php (member login page).
Each of these pages contains the same three settings, which allow you to customize how you want to throttle surfer attempts on accessing these pages. These settings include:
- THROTTLE_X - Choose what surfer action counts towards page attempts, for throttling purposes. This can be set to "Off" (disables throttling for that page), "Every Page Request" (counts every time this page is loaded), and "Failed Page Authentication Only" (counts every time authentication fails for this page).
- THROTTLE_X_APPROVED_MAX_COUNT - The maximum number of surfer attempts allowed on the page you want to be throttled. Each attempt is defined by what you selected for the THROTTLE_PAGE setting above. For example, if you set THROTTLE_APPROVED to Every Page Request, this count will be added to every time a surfer attempts to access the approved.php page. By default, this setting is set to accept five (5) attempts to each page before throttling a surfer.
- THROTTLE_X_TIME_LIMIT - Sets the amount of time, by seconds, for NATS to wait before clearing the count for a prior attempt made to a page listed here. By default, this setting is set to 3600 seconds. Each attempt is counted separately towards the time limit, meaning that if a surfer makes three consecutive attempts and then two consecutive attempts two hours later, the first three attempts will be cleared once the time limit expires, leaving the two later attempts to be cleared once the set time limit expires.
Each of these settings is the same for every page available to be throttled in this section. For example, you will see THROTTLE_APPROVED, THROTTLE_UPGRADEPLUS, THROTTLE_UPGRADED, THROTTLE_UPSELLPLUS, THROTTLE_PACKAGEPLUS, THROTTLE_TOKENPLUS, THROTTLE_CANCELPLUS, THROTTLE_DUPLICATE, THROTTLE_VERIFYPLUS, THROTTLE_SIGNUPPLUS, THROTTLE_SIGNUP_VALIDATION, THROTTLE_PASSWORD, THROTTLE_FORGET_MEMBER and THROTTLE_LOGIN here.
So as an example, you can set the throttling settings for your approved.php page to "Failed Page Authentication Only" with a maximum count of 5, and a time limit of 3600 seconds. This will allow a maximum of 5 failed attempts to the approved.php page, with each failed attempt being cleared an hour after the attempt occurred.
Once a surfer reaches the maximum amount of attempts you have allowed on a page, they will be automatically redirected to a template displaying a message of your choosing. As this template is blank by default, you will need to edit it before enabling your throttling settings.
To do so, go to the Sites Admin and edit the site templates for each site you have configured. Locate the throttling_security and throttling_security_mobile templates on the next page -- these will be displayed when a member reaches the maximum allowed amount of attempts that you set.
Edit these templates to display whatever you want to your surfers. The throttling_security_mobile template will be displayed to surfers using mobile devices, and the throttling_security template will be displayed to all other surfers.
White List/Black List
In addition to configuring throttling settings for individual pages in NATS, you can also add specific IP addresses to a "White List" and a "Black List." Surfers coming from an IP added to the White List will automatically skip the throttling checks, while surfers coming from an IP added to the Black List will automatically fail the throttling checks and be redirected towards your throttling_security template.
To use the White List/Black List features, simply go to your Throttling settings, located on the "Security" page in the Configuration Admin. Add any IP addresses you want to automatically approve to the THROTTLE_WHITE_LIST_IPS field, separated by commas. Add any IP addresses you want to automatically prevent from reaching the pages listed here to the THROTTLE_BLACK_LIST_IPS field, separated by commas.
Once you have finished entering IP addresses, save your settings. Any IP addresses added to your White List will automatically skip your throttling checks, and any IP addresses added to your Black List will automatically be rejected from any of the pages listed here.