发表新帖
发表新帖

What is the best Distributed Brute Force countermeasure?

前端 未结
关注
16 1887
逝去的感伤
逝去的感伤 2020-11-28 16:55

First, a little background: It is no secret that I am implementing an auth+auth system for CodeIgniter, and so far I\'m winning (so to speak). But I\'ve run into a pretty no

16条回答
  • 陌清茗
    陌清茗 (楼主)
    2020-11-28 17:47

    To summarize Jens' scheme into a pseudo state transition diagram/rulebase:

    1. user + password -> entry
    2. user + !password -> denied
    3. user + known_IP(user) -> front door, // never throttle
    4. user + unknown_IP(user) -> catflap
    5. (#denied > n) via catflaps(site) -> throttle catflaps(site) // slow the bots
    6. catflap + throttle + password + captcha -> entry // humans still welcome
    7. catflap + throttle + password + !captcha -> denied // a correct guess from a bot

    Observations:

    • Never throttle the front door. The Elbonian state police have your computer, in your house, but are unable to interrogate you. Brute force is a viable approach from your computer.
    • If you provide a "Forgetten your password?" link, then your email account becomes part of the attack surface.

    These observations cover a different type of attack to the ones you are trying to counter.

    0 讨论(0)
 看不清?
提交回复
热议问题