Setting Authentication Failure Timeout
To limit the effectiveness
of DOS attacks on failed authentications, you can use the psft_failtimeout
Java option. Add this option in the setEnv script and assign a value
in seconds. By setting the value to 60 seconds, for example, you override
the default session timeout of 120 seconds (two minutes) when a user
authentication fails or when a user is not yet authenticated.
For example,
SET JAVA_OPTIONS_WIN32=-server -Xms256m -Xmx256m -Dpsft_failtimeout=60
-XX:MaxPermSize=128m -Xcomp
To determine the proper value for this property, you need to check the time in seconds that it takes to send an http(s) request from the browser to the web server and multiply the result by 2.