I'm looking for ideas on how to implement a way to detect and block dictionary attacks. This is not a question of how to implement strong passwords, but rather the act of limiting logins when too many failed passwords have been attempted in some period of time.
I also want to do this regardless if the login name is valid or not. So, an attack on a invalid login name will fail after so many attempts in a time period just the same as one on a valid login. The plan is to just report "Exceeded Login attempts -- contact support or wait X minutes" kind of thing to the user when they exceed the failed consecutive attempt count. The plan is to use memcached for a counter per (failed) login. The cache entry's expires time will be set the first time the cache is populated. This gives an attacker a way to flood the cache, of course, and thus a way to prematurely "expire" cache entries. Also considered issuing a redirect to a simple server that will delay the number of failed attempts seconds before redirecting back to the login page. Any smart attacker would get clued about this an not follow that redirect. Fun anyways, though. ;) Anyone doing something like this already? Suggestions? Caveats? -- Bill Moseley [EMAIL PROTECTED] _______________________________________________ List: Catalyst@lists.rawmode.org Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/ Dev site: http://dev.catalyst.perl.org/