• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

preventing brute force logins without denial of service

 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
From the one factor thread:

Jim Manico wrote:Last, if you really do not want to implement it, then you need to consider "account lockout" to keep brute force attacks at bay. Account lockout CAN be used to Denial of Service your site so be careful.



This is the design we used to prevent brute force login attempts on this site. I'm curious what weaknesses there are in it. All I can think of is that if you can present a fake IP, you could still do denial of service for logins. Even that wouldn't affect users who were logged in or anonymous users. And it would have to be kept up hour after hour.

 
Author
Posts: 53
7
MySQL Database Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jeanne Boyarsky wrote:From the one factor thread:

Jim Manico wrote:Last, if you really do not want to implement it, then you need to consider "account lockout" to keep brute force attacks at bay. Account lockout CAN be used to Denial of Service your site so be careful.



This is the design we used to prevent brute force login attempts on this site. I'm curious what weaknesses there are in it. All I can think of is that if you can present a fake IP, you could still do denial of service for logins. Even that wouldn't affect users who were logged in or anonymous users. And it would have to be kept up hour after hour.



My concern for any kind of IP based blocking strategy is that sometimes you have thousands of users behind one IP address, like a large hotel, a large company or some ISP's. In these situations, failed logins from one IP may occur faster than expected.
 
reply
    Bookmark Topic Watch Topic
  • New Topic