Setting Authentication Failure Timeout
To limit the effectiveness of DOS attacks on failed authentications, you can use the psft_failtimeout Java option. Add this option in the setEnv script and assign a value in seconds. By setting the value to 60 seconds, for example, you override the default session timeout of 120 seconds (two minutes) when a user authentication fails or when a user is not yet authenticated.
SET JAVA_OPTIONS_WIN32=-server -Xms<nnn>m -Xmx<nnn>m -Dpsft_failtimeout=60 -XX:MaxPermSize=<nnn>m -Xcomp
To determine the proper value for this property, you need to check the time in seconds that it takes to send an http(s) request from the browser to the web server and multiply the result by 2.