On Aug 16, 2007, at 10:13 AM, Bill Moseley wrote:
I'm looking for ideas on how to implement a way to detect and block dictionary attacks. This is not a question of how to implement strong passwords, but rather the act of limiting logins when too many failed passwords have been attempted in some period of time. I also want to do this regardless if the login name is valid or not. So, an attack on a invalid login name will fail after so many attempts in a time period just the same as one on a valid login. The plan is to just report "Exceeded Login attempts -- contact support or wait X minutes" kind of thing to the user when they exceed the failed consecutive attempt count. The plan is to use memcached for a counter per (failed) login. The cache entry's expires time will be set the first time the cache is populated. This gives an attacker a way to flood the cache, of course, and thus a way to prematurely "expire" cache entries. Also considered issuing a redirect to a simple server that will delay the number of failed attempts seconds before redirecting back to the login page. Any smart attacker would get clued about this an not follow that redirect. Fun anyways, though. ;) Anyone doing something like this already? Suggestions? Caveats?
One approach I've seen for this doesn't block access once there's been more than a certain number of failed logins. Instead, it has two thresholds. After a very few (2 or 3) failed login attempts it requires the user also enter a captcha when trying to login. That blocks automated guesses very quickly, but doesn't cause legitimate users with poor memories to contact support. (I'm assuming they have a higher threshold of failed attempts after which they lock the account.) Cheers, Steve _______________________________________________ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/
