[Catalyst] Rate limiting password attacks
Wade.Stuart at fallon.com
Wade.Stuart at fallon.com
Fri Aug 17 16:52:54 GMT 2007
Bill Moseley <moseley at hank.org> wrote on 08/17/2007 10:32:36 AM:
> On Fri, Aug 17, 2007 at 03:56:23PM +0100, Carl Johnstone wrote:
> >
> > >Anyone doing something like this already? Suggestions? Caveats?
> >
> >
> > You'll almost certainly have to log it per-IP address rather than an a
> > cookie or session or anything like that. Any real password-cracking bot
is
> > unlikely to honour your cookies or session identifiers.
>
> No, not by IP. Just keyed by login. This is at the application
> layer. The logs will also be watched for other patterns.
Also many web password cracker apps use a huge list of open proxy servers
and bot farms to farm out the requests -- so tying to the IP may not help
at all. On the same note tracking IP->login name->falures and looking for
a pattern of many IP addresses may also give you another insight to
potential crackers.
-Wade
More information about the Catalyst
mailing list