On Sat, 8 Apr 2000, Nicolas MONNET wrote:
> On Fri, 7 Apr 2000, Ask Bjoern Hansen wrote:
>
> |And the other way around, there is three gazillion open proxies you can
> |abuse to make requests from different ip addresses.
> |
> |Or a determined attacker might have a lot of different local ip addresses
> |at his disposal he can make requests from.
>
> Let's be realistic on this one: if the idea is to prevent brute force
> attacks, the fact that the attacker might use a few dozens or for that
> matter a few hundreds IPs won't matter much.
Yes, let's be realistic. IP tracking is totally ruled out by the AOLs and
Mindsprings of the world. All of their millions of customers come through
the same proxy farms with the same handful of IP addresses. That means
that you can't throttle requests on an requests-from-ip/second basis.
Use cookies or URL munging.
-jwb
