In article <40FD7A89.10500@xxxxxxxxxxx>, John W. Holmes wrote:Daevid Vincent wrote:
Similarly, I could adjust my brute force attack to sleep() a pre-determined amount of time too ;-)
Uhmmm.. how effective is a brute force attack where you can only try one combination per second? It's going to take you a while to get through that dictionary.
You're mistaken here. Every kiddie knows he has to fork 50 concurrent
threads that try to authenticate...
That's still only 50 guesses a second compared to thousands when your server gives an immediate good or bad response. Like I said, this is just another layer you can add in addition to what you have below. It doesn't hurt anything if implemented correctly and it only serves to hassle those abusing the system. Defense in depth. :)
I'd suggest to have 2 queues for failed authentication attempts. One containing (ip - timestamp) pairs, the other containing (username - timestamp) pairs.
Every time someone tries to authenticate, you count the number of failures in both queues. The larger the number, the longer the sleep will take. (removing old entries once in a while might speed up things)
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
