I'm trying from 3 days to make or find good way to detect if there is a user trying to login my web application with many login credentials or making flood attack, so I can show captcha as example in this cause in my login page, but with no luck.
I can know if there is user with login username : "xyz" trying many times to login, but what if a user trying to login with many usernames like "xyz1" , "xyz2", "xyz3" , "admin", "administrator", "root" .... etc.
Specially that user maybe trying with different sessions and hidden IP or many IPs.
If you want to know good example, its something is like yahoo and google login page.
I tried to find way with my poor language with googling and browsing many questions in stackoverflow and not found helpful article.
Is Application managed bean helpful ? is it healthy to use? and what correct way to do this, in cause Application managed bean or any another way?
You can't. As you've discovered yourself: you're not going to be able to reliably protect your web application, from within your web application. Your application has the choice to:
Log multiple attempts against a single username This is fairly basic and you'll find this in many web apps; record failed login attempts against the same username and block further login attempts after a set number of failures. Doesn't stop the attacker from continuing to try
Log multiple attempts from a single IP address, over a span of time This could be fairly straightforward also, provided you can trust the IP address that's sent with the HTTP request. As you've guessed, it's more likely you're not going to be able to trust that IP address (could be spoofed, could be a proxy e.t.c.), but you could still log IP addresses, and block all registrations/logins from a given IP address. Doesn't stop the attacker from continuing to try
What this leaves you with, is going outside your application: work with your network infrastructure provider to be able to detect spam and DDoS attacks early, and head off the associated packets and possibly add those IP addresses to blacklists automatically.
Related: