Stefan Miklosovic created CASSANDRA-19734:
---------------------------------------------
Summary: Rate limiting on failed log-in attempts
Key: CASSANDRA-19734
URL: https://issues.apache.org/jira/browse/CASSANDRA-19734
Project: Cassandra
Issue Type: New Feature
Reporter: Stefan Miklosovic
Assignee: Stefan Miklosovic
If there is a malicious attacker who is brute-forcing passwords / usernames, we
should just ban such user for some time. On the other hand, we should enable
logging in for genuine users who just happened to provide invalid passwords for
multiple times, we do not want to ban these completely.
A rate limit might be something like "5 times per a minute".
This should be based on IP address of a client to identify the attacker. If we
based this on invalid passwords only, an attacker might just change the
usernames to bypass that.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
