How can I prevent distributed brute force attacks on my website?
I think(not sure. if someone can assure me, thanks!) my site is secure against normal brute force attacks as I am using following pattern to throttle continuous login attempts for a single username:
X = Failed Login Attempts
Y = Time, since the last login attempt, for which next login attempt will not be accepted (in minutes)
if X is a multiple of 5
Y = 2^(X/5)
This increases the time delay by some exponent of 2 for every next 5 wrong login attempts.
Then I thought to myself, what if someone tries to distribute this brute force attack over multiple usernames/accounts for a same password? O.O
My first instinct was to search the internet for common practices. I did search and found different solutions. Every solution has had its own cons whereas most of them were too complicated.
And then whaaam **! This wild idea crossed my mind:**
It doesn't matter if you provide wrong or right credentials, the login script will sleep for 1 second while verifying your credentials.
If I used this method, it would take approximately 14 hours to try a password on 50k accounts or vice versa and hence making the bruteforce little impractical.
Since this my first web app, I am barely confident if this method will be okay to use. I am not sure if it will cause too much serverload or if it is even, at all, safe. If somebody can help me figuring out if this is the right method or not and/or suggest a pratical method, maybe I can offer you an additional cookie if we ever meet?
Aucun commentaire:
Enregistrer un commentaire