In article <[EMAIL PROTECTED]>, John W. Holmes wrote:
> Daevid Vincent wrote:
> 
>> Similarly, I could adjust my brute force attack to sleep() a pre-determined
>> amount of time too ;-)
> 
> Uhmmm.. how effective is a brute force attack where you can only try one 
> combination per second? It's going to take you a while to get through 
> that dictionary.

You're mistaken here. Every kiddie knows he has to fork 50 concurrent
threads that try to authenticate... 

I'd suggest to have 2 queues for failed authentication attempts.
One containing (ip - timestamp) pairs,
the other containing (username - timestamp) pairs.

Every time someone tries to authenticate, you count the number of
failures in both queues. The larger the number, the longer the sleep
will take. (removing old entries once in a while might speed up things)

-- 
Tim Van Wassenhove <http://home.mysth.be/~timvw>

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to