[Catalyst] Rate limiting password attacks

Steve Atkins steve at blighty.com
Thu Aug 16 18:32:48 GMT 2007

On Aug 16, 2007, at 10:13 AM, Bill Moseley wrote:

> I'm looking for ideas on how to implement a way to detect and block
> dictionary attacks.  This is not a question of how to implement strong
> passwords, but rather the act of limiting logins when too many failed
> passwords have been attempted in some period of time.
> I also want to do this regardless if the login name is valid or not.
> So, an attack on a invalid login name will fail after so many attempts
> in a time period just the same as one on a valid login.
> The plan is to just report "Exceeded Login attempts -- contact
> support or wait X minutes" kind of thing to the user when they exceed
> the failed consecutive attempt count.
> The plan is to use memcached for a counter per (failed) login.  The
> cache entry's expires time will be set the first time the cache is
> populated.
> This gives an attacker a way to flood the cache, of course, and thus a
> way to prematurely "expire" cache entries.
> Also considered issuing a redirect to a simple server that will delay
> the number of failed attempts seconds before redirecting back to the
> login page. Any smart attacker would get clued about this an not
> follow that redirect.  Fun anyways, though. ;)
> Anyone doing something like this already?  Suggestions? Caveats?

One approach I've seen for this doesn't block access once
there's been more than a certain number of failed logins. Instead,
it has two thresholds. After a very few (2 or 3) failed login attempts
it requires the user also enter a captcha when trying to login.

  That blocks automated guesses very quickly, but doesn't cause
legitimate users with poor memories to contact support. (I'm
assuming they have a higher threshold of failed attempts
after which they lock the account.)


More information about the Catalyst mailing list