|Ministry of Railways takes Measures on IRCTC website to control ticket booking using automated software
In furtherance to strengthen its PRS (Passenger Reservation System), Ministry of Railways has taken various measures on IRCTC website to control ticket booking using automated software. In this regard, a Combined Press Conference was held today i.e. 19.01.2016 by the Indian Railways. The Conference was attended by the apex officials namely CMD, IRCTC Shri Dr. A. K. Manocha, MD, CRIS Shri Sanjaya Das, Executive Director, C&IS Shri U. Hazarika Railway Board and other senior officials from Railway Board. The various measures which IRCTC and CRIS now takes to control rail ticket booking by using automated software are as follows : –
Internet ticketing on IRCTC website was started in year 2002 with 29 tickets on the first day. This has now increased to more than 13 lakh tickets booked in a single day (achieved on 01/04/2015).
Internet ticketing on IRCTC website has progressively increased over the years and its share in the total reserved tickets has also progressively increased.
Table-A : Year wise Internet tickets booked.
Table-B : Growth of Internet Ticketing over last five years.
Table-C: Continuously increasing Share of Internet ticketing.
Next Generation e-Ticketing System (NGeT) :
Due to increased demand of e-ticketing and capacity constraint there were problems in ticket booking process and complaints of website slowness and non availability. The Next generation e-ticketing system(NGeT) was launched on 28/04/2014 to handle increased ticket booking. The capacity was increased from 2000 tickets in a minute to 7200 tickets in a minute . The capacity of NGeT was further increased to 15000 tickets in a minute in 2015 to book tickets fast and easily. The e-tickets may be booked easily and faster through website and the IRCTC website is able to handle 15000 tickets per minute at present. The concurrent user connections were increased from 40,000 to 1,20,000 in NGeT, which has further been increased to 3,00,000 before Diwali rush. The enquiries in NGeT have also been increased from 1000 per second to 3000 per second. Capacity in NGeT was increased this year by doubling the servers in integration layer and adding storage space.
A scripting or script language is a programming language that supports scripts, programs written for a special run-time environment that automate the execution of tasks that could alternatively be executed one-by-one by a human operator. Scripting languages are often interpreted (rather than compiled). Primitives are usually the elementary tasks or API calls, and the language allows them to be combined into more complex programs. Environments that can be automated through scripting include software applications, web pages within a web browser, the shells of operating systems (OS), embedded systems, as well as numerous games. The scripting technology is also useful to automate the process of filling the data in web pages at client end. The scripting is available in google chrome, Mozila and other browsers.
CAPTCHA Tells Humans and Computers Apart Automatically. A CAPTCHA is a program that protects websites against attacks by generating multiple automatic requests using scripting technology or other computer program. In general, a CAPTCHA is used to prevent abuse by automated scripts.
Scripting on IRCTC website:
The demand of Tatkal and ARP (Advance Reservation Period) tickets is increasing day by day hence use of Scripting technology is also increasing on IRCTC website client end web pages for filling up the various forms used during ticket booking process for faster booking. This Scripting technology and tools are being used by programmers for developing software like Black TS etc for faster filling the forms used during ticket booking process. The parameters at client end can be easily seen by programmers of any website and may be used for scripting. The scripting tools, technology is available online and Google Chrome and Mozilla Browsers support the scripting. The scripting software for input at client end may be developed easily for any website. Since the scripting at client end cannot be stopped, the impact of the use of scripting technology has been negated by the various checks in the form of Captcha , Time delay and other server side checks. Banks have also implemented OTP in net banking to control the automated booking using scripting software/tools.
Checks Implemented on IRCTC website to stop misuse of Internet Ticket booking facility by the use of automated softwares:
(i) Minimum form filling time check implemented in passenger reservation form.
(ii) Minimum payment time check implemented for payment process.
(iii) Only two Tatkal tickets can be booked for single user ID in opening Tatkal Hrs. i.e 10-12 hours .
(iv) Maximum 10 tickets in a month can be booked on an user ID.
(v) One user can do only one login at one point in a time.
(vi) Only one Tatkal ticket in single session (except return journey).
(vii) Only two opening Tatkal tickets per IP address.
(viii) OTP (One time password) is implemented in net banking payment options.
(ix) Captcha is implemented at login, Reservation Form page and Payment page.
Time taken in Booking of ticket:
The Next Generation e-Ticketing System (NGeT) is able to handle load of 15000 tickets in a minute. Hence 250 tickets can be booked concurrently in a second. At best, an individual user can book his ticket in 35 seconds.. The time taken for ticket booking depends upon the speed of internet at client end, form filling speed of individual and bank response time. At reservation counters, a ticket can be booked in less than 35 seconds.
To stop the misuse of website various time checks and Captcha have been implemented as discussed above. With these checks in place, it is not possible to book any Opening Tatkal ticket by any software being sold in the market earlier than 35 seconds. Tables shown below which indicate first 35 seconds bookings and 36th second to 60th second booking separately at 10:00 AM and 11:00 AM for Opening Tatkal at PRS counters vis a vis IRCTC website.
Table-D: First Minute Tatkal ticket booking in AC Classes at 10:00 AM.
Table-E: First Minute Tatkal ticket booking in Non AC Classes at 11:00 AM.
From the above tables, it is clearly evident that while it is possible to book tickets through human process at PRS counters within first 35 seconds, it is not possible to book any Tatkal ticket in first 35 seconds on IRCTC website even by using scripting software. The claim made by various software sellers in the market that their software can book Tatkal in 10 to 20 seconds is not factually correct. Further, only 5 to 6 Thousand tatkal tickets are booked in the first minute both at PRS counters and IRCTC website put together out of the total 1.5 lakhs Tatkal tickets available on PRS. This again is contrary to the claim made by the media that entire Tatkal tickets are booked within first 30 seconds by using automated software.
Security measures to control Hacking
Multilayered security with deep defense in the NGeT system:
1. State of the art perimeter security in the data center comprising of front-end & backend firewall, network intrusion prevention system, Web application firewall, Security information event management(SIEM) , host intrusion prevention system (HIPS), OS hardening on all servers , Web/App server hardening, database server hardening, Spring security framework in the application software.
2. All best practices for ensuring security in the application software have been followed. All 10 OWASP (Open Web Application Security Project) application software vulnerabilities have been addressed.
3. By dint of these security measures, no hacking attempt has been successful on the NGeT system. All intrusion or Distributed Denial of Service (DDoS) attempts have been thwarted.
Third party audit
Real -time feed of internet traffic to Cert-IN for security alerts:
Packet headers of traffic traversing through internet gateway routers are forwarded in real-time to CERT-In for their analysis & reporting. In response, CERT-In sends real time alerts (in case some malicious activity is detected) and weekly reports.