On Fri, 7 Apr 2000, Nicolas MONNET wrote:
> On Fri, 7 Apr 2000, Mark Imbriaco wrote:
>
> |That opens up a nasty Denial of Service attack though. All I have to do
> |is try to log into the "gunther" account three times in rapid succession
> |with a bogus password, and WHAM, the real Gunther is locked out. Granted,
> |it's possible to work around this, but the best way is probably going to
> |be cookie based like Vivek suggested.
>
> Obviously, you want to count attempts PER IP addresses.
>
What about folks who are behind proxies? (ie: AOL) It is not all that far
fetched to consider that an attacker and a legitimate user could both be
coming from AOL -- neiter is it farfetched to consider that they may be
assigned the same proxy server on the AOL network.
There ARE workarounds to the issue, my point was simply that Vivek's
cookie idea is probably the best of the (admittedly numerous) bunch.
-Mark
