Thursday, Dec 3, 2015 10:48 PM Russ Allbery wrote:
I am still a bit puzzled: how does increasing the number of attackers
help to bypass the throttling mechanism? Why isn't the throttle per
id/password pair, rather than per ip-address/password/id triple?
Why would you throttle per id/password pair? The attacker doesn't try the
same pair more than once. That would be pointless.
I think you missed the distinction I was making. You are describing
throttling per ip-address, irrespective of the password/id pair. I am asking
why you don't simply say "if more than 10 attempts are made on this username
per hour, lock it out for a while." This is a common practice on some web
sites. If you require the user to have a non-dictionary password, then 10
attempts per hour is few enough to prevent a botnet of any number of hosts from
guessing that password.
The TLDR in case something about that message was confusing is that only
the authentication point can block the IP addresses at the authentication
point, but you can analyze Received headers to do a bunch of other things,
such as determine compromised botnet IP addresses that someone else
*didn't* block but that you *do* want to block for *your* service. It
improves the scale and flexibility of what you can do by basically giving
you more threat intelligence.
Yes, I have heard that before. It makes sense. However, it does make me
wonder why you don't just stop accepting mail from sites that are this badly
run until they shape up. You seem to be suggesting that it's because you
value the intelligence that you glean from their incompetence. Did I
Sent from Whiteout Mail - https://whiteout.io
My PGP key: https://keys.whiteout.io/mellon(_at_)fugue(_dot_)com
Description: PGP signature
ietf-smtp mailing list