Thursday, Dec 3, 2015 9:31 PM Russ Allbery wrote: > Standard practice for attackers these days is to automate attacks on any > sort of password-protected system, whether that be web pages, > authentication providers, or anything else that takes a password. Usually > this is done by taking some list of common passwords and some list of > account names and just brute-forcing combinations, although some attackers > do more sophisticated things. > > Obviously, that sort of brute force approach is easy to detect and > throttle, so the next step in the arms race was for attackers to use large > networks of compromised machines, usually home machines behind DSL and > cable modem links, each of which tries a small number of passwords against > a variety of targets to stay below the radar. Those machines were > generally compromised via malware of some kind and are part of a botnet, > without the knowledge of the user of the machine.
Thanks for explaining! I am still a bit puzzled: how does increasing the number of attackers help to bypass the throttling mechanism? Why isn't the throttle per id/password pair, rather than per ip-address/password/id triple? Secondarily, if distributed processing makes throttling per id/password pair difficult, why is it hard to do the botnet IP address matching at the authentication point? This seems like it would avoid a _lot_ of extra processing. -- Sent from Whiteout Mail - https://whiteout.io My PGP key: https://keys.whiteout.io/[email protected]
pgpN48KyHNjrk.pgp
Description: PGP signature
_______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
