[Catalyst] Rate limiting password attacks

Bill Moseley moseley at hank.org
Thu Aug 16 18:13:13 GMT 2007

I'm looking for ideas on how to implement a way to detect and block
dictionary attacks.  This is not a question of how to implement strong
passwords, but rather the act of limiting logins when too many failed
passwords have been attempted in some period of time.

I also want to do this regardless if the login name is valid or not.
So, an attack on a invalid login name will fail after so many attempts
in a time period just the same as one on a valid login.

The plan is to just report "Exceeded Login attempts -- contact
support or wait X minutes" kind of thing to the user when they exceed
the failed consecutive attempt count.

The plan is to use memcached for a counter per (failed) login.  The
cache entry's expires time will be set the first time the cache is

This gives an attacker a way to flood the cache, of course, and thus a
way to prematurely "expire" cache entries.

Also considered issuing a redirect to a simple server that will delay
the number of failed attempts seconds before redirecting back to the
login page. Any smart attacker would get clued about this an not
follow that redirect.  Fun anyways, though. ;)

Anyone doing something like this already?  Suggestions? Caveats?

Bill Moseley
moseley at hank.org

More information about the Catalyst mailing list