[Catalyst] Rate limiting password attacks

[Perrin Harkins]

On 8/17/07, Carl Johnstone <catalyst at fadetoblack.me.uk> wrote:
> You'll almost certainly have to log it per-IP address rather than an a
> cookie or session or anything like that. Any real password-cracking bot is
> unlikely to honour your cookies or session identifiers.

Last time I needed to do this we had a fallback to IP if no valid
cookie was found so that it couldn't be evaded by simply refusing all
cookies.  There are workarounds for this workaround though, so it is
an ongoing battle.  AOL proxies were the main reason for doing this.

> As an idea, how about adding an (increasing) artificial delay into the
> response when the clients send an invalid username/password. It would make
> things increasingly awkward for crackers, whilst still letting good users
> through. A suggestion though it wouldn't work very well in mod_perl or
> similar setups where you can't afford to tie up system resources holding
> onto client connections.

Well, that would be every environment where Catalyst runs.  If you
want to do something fancy, I'd suggest looking at lingerd, a C daemon
written to take TCP connections handed off from mod_perl.  It would
require some C-level hacking, but I expect you could alter it for this
purpose.

- Perrin