Wez:
I agree that exponential back-off for failed authentication
attempts is a good way to prevent dictionary attacks from being
viable. Here's my concern: your software's blacklisting isn't
actually "tripped" by failed authentication attempts -- it's tripped
by *any connection at all*. That's not the best solution, IMO,
for two reasons:
1. It makes things tricker for (ahem) ISV's who write 3rd
party tools that, say, auto-detect VNC Servers on a LAN.
Of course, I understand that making their lives easier is
pretty low on your list of concerns, but it's worth a
mention.
2. It overly exposes VNC to DoS attacks. With nmap running on
a PC with access to raw sockets, I could:
% nmap -sT -p 5900 my.lan.ip.address/24 -S ip.address.to.block
% <repeat once a minute>
This will transmit spoofed packets to all RealVNC servers on
the LAN, effectively blacklisting any IP address I choose.
I'm hopeful for those 2 reasons, you'll at least consider
modifying the blacklist "trip" mechanism in your future releases,
so that it activates *after* multiple password attempts have
actually failed. That's much more resilient to spoofed connections,
as it actually requires a real protocol exchange.
cheers,
Scott
The blacklisting algorithm uses exponential back-off, so it really *does*
prevent dictionary attacks from being viable.
As regards the possibility of DoS attacks - yes, they are possible but the
DoS attack you describe prevents anyone on the attacking host from accessing
it, while a dictionary attack would actually grant the attacker access to
that server, which is clearly worse!
<snip>
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
