What are good ways to prevent distributed brute force attacks on my website?
I think (not sure. if someone can assure me, thanks!) my site is secure against normal brute force attacks as I am using following pattern to throttle continuous login attempts for a single username:
X = Failed Login Attempts
Y = Time, since the last login attempt, for which next login attempt will not be accepted (in minutes)
if X is a multiple of 5
Y = 2^(X/5)
This increases the time delay by some exponent of 2 for every next 5 wrong login attempts.
Then I thought to myself, what if someone tries to distribute this brute force attack over multiple usernames/accounts for a same password? O.O
My first instinct was to search the internet for common practices. I did search and found different solutions. Every solution has had its own cons whereas most of them were too complicated.
And then whaaam! This wild idea crossed my mind:
It doesn't matter if you provide wrong or right credentials, the login script will sleep for 1 second while verifying your credentials.
If I used this method, it would take approximately 14 hours to try a password on 50k accounts or vice versa and hence making the bruteforce little impractical.
Since this my first web app, I am barely confident if this method will be okay to use. I am not sure if it will cause too much serverload or if it is even, at all, safe. Does this method offer a good trade-off between time and resource cost, vs. added security?
If somebody can help me figuring out if this is the right method and help me imroving it and/or suggest a pratical method (in case this isn't okay), maybe I can offer you an additional cookie if we ever meet?
Aucun commentaire:
Enregistrer un commentaire