Ben Laurie wrote:
On 30 April 2013 11:29, Graham Leggett <minf...@sharp.fm> wrote:
On 30 Apr 2013, at 12:03 PM, André Warnier <a...@ice-sa.com> wrote:
The only cost would a relatively small change to the Apache webservers, which
is what my
suggestion consists of : adding a variable delay (say between 100 ms and 2000
ms) to any
404 response.
This would have no real effect.
Bots are patient, slowing them down isn't going to inconvenience a bot in any
way. The simple workaround if the bot does take too long is to simply send the
requests in parallel.
Disagree. Raising the bar reduces volume.
In general, I hate the argument that improvement X has obvious
workaround A and therefore we should not bother with it. It's
absolutely impossible to make forward progress in security with that
attitude. Every defence is defeatable (says experience) yet some are
still worth putting in place.
Thank you for putting this succintly.
That is exactly the point of my proposal : raising the bar.
Honestly, I do not know by how much it would raise the bar, nor how much it would have as
an effect in general. It just seems to me like an idea that may be worth trying, or at
least really evaluated "scientifically", to verify my many assumptions and approximations.
I just cannot think of how to do this practically, without actually rolling it out on a
sufficient number of servers, and involving some organisation that has the infrastructure
and the tools to measure the impact.
