[Catalyst] Rate limiting password attacks

Bill Moseley moseley at hank.org
Fri Aug 17 16:32:36 GMT 2007

On Fri, Aug 17, 2007 at 03:56:23PM +0100, Carl Johnstone wrote:
> >Anyone doing something like this already?  Suggestions? Caveats?
> You'll almost certainly have to log it per-IP address rather than an a 
> cookie or session or anything like that. Any real password-cracking bot is 
> unlikely to honour your cookies or session identifiers.

No, not by IP.  Just keyed by login.  This is at the application
layer.  The logs will also be watched for other patterns.

> As an idea, how about adding an (increasing) artificial delay into the 
> response when the clients send an invalid username/password. It would make 
> things increasingly awkward for crackers, whilst still letting good users 
> through. A suggestion though it wouldn't work very well in mod_perl or 
> similar setups where you can't afford to tie up system resources holding 
> onto client connections.

Ya, that's what I was getting at with:

    Also considered issuing a redirect to a simple server that will delay
    the number of failed attempts seconds before redirecting back to the
    login page. Any smart attacker would get clued about this an not
    follow that redirect.  Fun anyways, though. ;)

Bill Moseley
moseley at hank.org

More information about the Catalyst mailing list