[Catalyst] Rate limiting password attacks
Perrin Harkins
perrin at elem.com
Thu Aug 16 19:06:40 GMT 2007
On 8/16/07, Bill Moseley <moseley at hank.org> wrote:
> I'm looking for ideas on how to implement a way to detect and block
> dictionary attacks. This is not a question of how to implement strong
> passwords, but rather the act of limiting logins when too many failed
> passwords have been attempted in some period of time.
[...]
> Anyone doing something like this already? Suggestions? Caveats?
Yes, there's a plugin that Sam Tregar developed for CGI::Application:
http://search.cpan.org/~samtregar/CGI-Application-Plugin-RateLimit-1.0/RateLimit.pm
This was used in Krang (http://krangcms.com/) for exactly what you're
describing: limiting login attempts.
You could adapt that design. It uses a database for storage, which
ought to be fine unless you have massive traffic hitting this login
page, but I don't see any reason your memcached idea wouldn't work.
I also did one of these years ago just to limit the number of hits to
a URL from a specific client within a window of time. It was based on
Randal's code here:
http://www.stonehenge.com/merlyn/LinuxMag/col17.html
I modified it to use a (verified) cookie instead of an IP if possible
and to count hits rather than CPU. It just returned a Forbidden error
when people exceeded the limit. At the time, it was a neat design
because it just used tightly packed data in files, so no locking was
needed and no database. Today I would use a database instead.
- Perrin
More information about the Catalyst
mailing list