|
|
Posted by Tyno Gendo on 04/09/07 22:37
Colin McKinnon wrote:
> Really, you can't. All you can do is make the system sufficiently secure
> that the attacker can't brute-force an attack.
>
> Also, bear in mind...
>
> Tyno Gendo wrote:
>
>> define('MAX_RETRIES', 5);
>> $logged_in = false;
>> $sql = "SELECT user_id, user_name, user_pass, user_tries
>> FROM user WHERE user_name = '" . $_POST["username"]; . "';";
>>
>
> .... then you're just providing a mechanism for anyone to lock out any user
> whose name is known. Also, unless you are very careful, you will end up
> exposing usernames indirectly by the the time taken to process a response.
>
> C.
This is true. however, as it seems the real scenario here is to stop
DOS attacks, i think the answer lies outside of PHP anyhow. A real DOS
attack should be stopped before the traffic hits the HTTP server.
Linux allows addition of static routes, I can't remember the piece of
software I had once, but part of it detected DOS and added a static
route to the server blocking response back to the SRC IP by adding an
invalid route for the sources destination.
Better to have the accounts locked than have an intruder waltz in. If
you provide the same feedback for a known account as you do for an
invalid user/pass combi then you're not exposing that the account
exists, only if you give a different message for each scenario.
Captcha is a good idea, i've used that in my own stuff before.
Navigation:
[Reply to this message]
|