[Catalyst] Rate limiting password attacks

Bill Moseley moseley at hank.org
Fri Aug 17 19:37:40 GMT 2007 

On Fri, Aug 17, 2007 at 02:12:21PM -0400, Jason Kohles wrote:
> Instead of delaying the response, one possibility is to send a  
> complete response without a login form, just a note that says 'too  
> many attempts, try again in X seconds', possibly with a refresh to  
> reload the page once the timer expires.  This way you don't hold the  
> client connections open while waiting for the timer to expire,  
> although then it means you have to track on the server side when that  
> timer will expire so you can start delivering the form again.

The bots don't need a form to sent the request, of course.

And, as you point out, if I was writing a bot I'd probably only wait
for the response for a short amount of time -- just to avoid the
tarpit.  You have to imagine that the attacker has unlimited
resources.

I have the ability to turn on form tokens on my forms, so to be able
to post to a form you have to first fetch the single-use token from
the form.  That has been a big help with forms that send mail, but
also aids in preventing reposting of forms -- in addition to redirect
after post.

Unfortunately, often want to have a login form on the home page and
that page is typically static -- so can't use my token in that
situation.


> Adding a delay is useful for console applications, where the user is  
> forced to wait for the delay before trying again, but not so useful  
> for web applications, where a cracker can just hold a few thousand  
> connections open while waiting for the delay to expire.
> 
> I've been contemplating the best way to address this problem on some  
> of my own sites, and unfortunately I always end up back at the  
> CAPTCHA approach.  I don't really like forcing users to solve a  
> CAPTCHA every time they log in, but so far it's the only solution  
> that I've come up with that doesn't also turn into a massive denial  
> of service potential when people start intentionally sending bad  
> passwords for people they don't like.

I like the idea of the captcha after a few failed requests.  Although,
if it's a real person having problems logging in then the addition of
the captcha just make it that much more likely that they will not be
able to login.  Kind of amazing how often I fail the captcha.

Plus, captcha's are not great for accessibility.

Maybe better to ask a question in text:

    "What is the airspeed velocity of an unladen swallow?"

-- 
Bill Moseley
moseley at hank.org

More information about the Catalyst mailing list