Vulnerability to denial of service attack

Overview: A library raised the following issue after having several users rendered inactive due to invalid credential attempts. Please note that identifying information has been anonymized for this ticket submission:

A system which has a publicly accessible log-in page and permanently locks an account after failed authentication attempts is vulnerable to a denial-of-service attack, which is aggravated if that system doesn't have source-based rate-limiting. To estimate our vulnerability, I created and set passwords for 10,000 test accounts in [a] test FOLIO instance.[2] Then I hastily put together and executed a command to lock those accounts:[3] It locked all 10,000 in less than twenty minutes.

1. Our production FOLIO instance has [tens of thousands of] active accounts.

1. To approximate the abilities of a mischievous freshman, I gave

     myself ten minutes to come up with this: I used my browser's

     debugger to capture the form submission at the log-in page as a

     Curl command and saved that as a script with the username

     parameterized such that:

       ./fail-login [username]

     would make one failed attempt to log in to my account. I then

     executed:

       cat users users users users users |

           xargs parallel-moreutils -j 100 \

               "./fail-login.sh" –

     Our hypothetical freshman wouldn't have trouble getting a nearly

     complete list of real usernames to use, since anyone on [the university's]

     network can retrieve a list of campus usernames from [the university's]

     directory server or several other sources.