In article <[EMAIL PROTECTED]>, John W. Holmes wrote: > Daevid Vincent wrote: > >> Similarly, I could adjust my brute force attack to sleep() a pre-determined >> amount of time too ;-) > > Uhmmm.. how effective is a brute force attack where you can only try one > combination per second? It's going to take you a while to get through > that dictionary.
You're mistaken here. Every kiddie knows he has to fork 50 concurrent threads that try to authenticate... I'd suggest to have 2 queues for failed authentication attempts. One containing (ip - timestamp) pairs, the other containing (username - timestamp) pairs. Every time someone tries to authenticate, you count the number of failures in both queues. The larger the number, the longer the sleep will take. (removing old entries once in a while might speed up things) -- Tim Van Wassenhove <http://home.mysth.be/~timvw> -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
