[Catalyst] Rate limiting password attacks
Steve Atkins
steve at blighty.com
Thu Aug 16 18:32:48 GMT 2007
On Aug 16, 2007, at 10:13 AM, Bill Moseley wrote:
> I'm looking for ideas on how to implement a way to detect and block
> dictionary attacks. This is not a question of how to implement strong
> passwords, but rather the act of limiting logins when too many failed
> passwords have been attempted in some period of time.
>
> I also want to do this regardless if the login name is valid or not.
> So, an attack on a invalid login name will fail after so many attempts
> in a time period just the same as one on a valid login.
>
> The plan is to just report "Exceeded Login attempts -- contact
> support or wait X minutes" kind of thing to the user when they exceed
> the failed consecutive attempt count.
>
> The plan is to use memcached for a counter per (failed) login. The
> cache entry's expires time will be set the first time the cache is
> populated.
>
> This gives an attacker a way to flood the cache, of course, and thus a
> way to prematurely "expire" cache entries.
>
> Also considered issuing a redirect to a simple server that will delay
> the number of failed attempts seconds before redirecting back to the
> login page. Any smart attacker would get clued about this an not
> follow that redirect. Fun anyways, though. ;)
>
> Anyone doing something like this already? Suggestions? Caveats?
One approach I've seen for this doesn't block access once
there's been more than a certain number of failed logins. Instead,
it has two thresholds. After a very few (2 or 3) failed login attempts
it requires the user also enter a captcha when trying to login.
That blocks automated guesses very quickly, but doesn't cause
legitimate users with poor memories to contact support. (I'm
assuming they have a higher threshold of failed attempts
after which they lock the account.)
Cheers,
Steve
More information about the Catalyst
mailing list