Hi List, There were a number of queries about my previous paper "Anti Brute Force Reource Metering". It appears that way too many people havn't yet gotten to grips with some of the more standard/basic methods of preventing automated tools from attacking a web-based application. So, to help the community along, I've pulled together a new whitepaper entitled "Stopping Automated Attack Tools" which covers the most popular/efficient methods of ...wait for it... stopping automated attack tools! The paper covers the 10 most common/successful methods of actively preventing/breaking/stopping attack tools when targeted at a web-based application. In addition, I've added three new groupings explaining how the use of client-side code can strengthen these applications and work to defend against current and future attack tools. An analysis and comparison of the different techniques is also made. Paper Location: http://www.ngssoftware.com/papers/StoppingAutomatedAttackTools.pdf Paper Abstract: An almost infinite array of automated tools exist to spider and mirror application content, extract confidential material, brute force guess authentication credentials, discover code-injection flaws, fuzz application variables for exploitable overflows, scan for common files or vulnerable CGI's, and generally attack or exploit web-based application flaws. While of great value to security professionals, the use of these tools by attackers represents a clear and present danger to all organisations. These automated tools have become increasingly popular for attackers seeking to compromise the integrity of online applications, and are used during most phases of an attack. Whilst there are a number of defence techniques which, when incorporated into a web-based application, are capable of stopping even the latest generation of tools, unfortunately most organisations have failed to adopt them. This whitepaper examines techniques which are capable of defending an application against these tools; providing advice on their particular strengths and weaknesses and proposing solutions capable of stopping the next generation of automated attack tools. Anyhow, I imagine that the paper will be of use to most of you out there...pass it to your organisations web-app developers and get them to read it and implement some of the security techniques. I know my clients will be making good use of the information ;-) Cheers, Gunter Ollmann ------------------------------------------------------ G u n t e r O l l m a n n, MSc(Hons), BSc Professional Services Director Next Generation Security Software Ltd. First Floor, 52 Throwley Way Tel: +44 (0)208 401 0070 Sutton, Surrey, SM1 4BF, UK Fax: +44 (0)208 401 0076 http://www.nextgenss.com http://www.ngssoftware.com ------------------------------------------------------