In article <[EMAIL PROTECTED]>, John W. Holmes wrote:
> Daevid Vincent wrote:
>> Similarly, I could adjust my brute force attack to sleep() a pre-determined
>> amount of time too ;-)
> Uhmmm.. how effective is a brute force attack where you can only try one 
> combination per second? It's going to take you a while to get through 
> that dictionary.

You're mistaken here. Every kiddie knows he has to fork 50 concurrent
threads that try to authenticate... 

I'd suggest to have 2 queues for failed authentication attempts.
One containing (ip - timestamp) pairs,
the other containing (username - timestamp) pairs.

Every time someone tries to authenticate, you count the number of
failures in both queues. The larger the number, the longer the sleep
will take. (removing old entries once in a while might speed up things)

Tim Van Wassenhove <>

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to