On Fri, 7 Apr 2000, Mark Imbriaco wrote:
> > |That opens up a nasty Denial of Service attack though. All I have to do
> > |is try to log into the "gunther" account three times in rapid succession
> > |with a bogus password, and WHAM, the real Gunther is locked out. Granted,
> > |it's possible to work around this, but the best way is probably going to
> > |be cookie based like Vivek suggested.
> >
> > Obviously, you want to count attempts PER IP addresses.
>
> What about folks who are behind proxies? (ie: AOL) It is not all that far
> fetched to consider that an attacker and a legitimate user could both be
> coming from AOL -- neiter is it farfetched to consider that they may be
> assigned the same proxy server on the AOL network.
And the other way around, there is three gazillion open proxies you can
abuse to make requests from different ip addresses.
Or a determined attacker might have a lot of different local ip addresses
at his disposal he can make requests from.
> There ARE workarounds to the issue, my point was simply that Vivek's
> cookie idea is probably the best of the (admittedly numerous) bunch.
- ask
--
ask bjoern hansen - <http://www.netcetera.dk/~ask/>
more than 70M impressions per day, <http://valueclick.com>
