[Catalyst] Rate limiting password attacks
Antano Solar
solar345 at gmail.com
Sun Aug 19 05:46:49 GMT 2007
I'm looking for ideas on how to implement a way to detect and block
> dictionary attacks. This is not a question of how to implement strong
> passwords, but rather the act of limiting logins when too many failed
> passwords have been attempted in some period of time.
>
I was just wondering why can't the form fields for username and password be
changed after every x attempts. And the post data checked for the new
fields.
1. This way unless the bot waits for the complete form returned after every
attempt it will send post data with the required fields being null. And if
it does wait for the complete form returned after every attempt , it is made
slow considerably.
2.And after a threshold level , the username and password field can both be
made of the type password and the label sent as image. this way withth enew
form the bot doesnt know which is the username field and which is the
password .
This only works for 1 username many password atacks or 1 ip attacks.
Another method i was curious about was to generate the form with x number of
extra username and password fields whose display style is set as
none.Thebot might just pick the first pair of username and password
field.This also gives us knowledge of a bot being used as post values from
these fields will always be null unless it is being sent by a bot.
Antano Solar John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20070819/b0e08=
ceb/attachment.htm
More information about the Catalyst
mailing list