Thursday, Dec 3, 2015 9:31 PM Russ Allbery wrote:
Standard practice for attackers these days is to automate attacks on any
sort of password-protected system, whether that be web pages,
authentication providers, or anything else that takes a password. Usually
this is done by taking some list of common passwords and some list of
account names and just brute-forcing combinations, although some attackers
do more sophisticated things.
Obviously, that sort of brute force approach is easy to detect and
throttle, so the next step in the arms race was for attackers to use large
networks of compromised machines, usually home machines behind DSL and
cable modem links, each of which tries a small number of passwords against
a variety of targets to stay below the radar. Those machines were
generally compromised via malware of some kind and are part of a botnet,
without the knowledge of the user of the machine.
Thanks for explaining!
I am still a bit puzzled: how does increasing the number of attackers help to
bypass the throttling mechanism? Why isn't the throttle per id/password pair,
rather than per ip-address/password/id triple?
Secondarily, if distributed processing makes throttling per id/password pair
difficult, why is it hard to do the botnet IP address matching at the
authentication point? This seems like it would avoid a _lot_ of extra
processing.
--
Sent from Whiteout Mail - https://whiteout.io
My PGP key: https://keys.whiteout.io/mellon(_at_)fugue(_dot_)com
pgpIQzZNgI3N2.pgp
Description: PGP signature
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp