[Dovecot] Delay on failed pw attempts
Dean Brooks
dean at iglou.com
Wed Jan 2 01:38:44 EET 2008
On Tue, Jan 01, 2008 at 11:21:50PM +0000, Stephen Usher wrote:
> Actually, a better method which would not inconvenience real users is
> to have an accumalative delay, i.e. the first error has a 1 second
> delay, the second 2 seconds, the third 4 seconds and so on. This
> should tar-pit any brute force attack, at least until the script
> kiddies just blast the server with a huge number of new connections to
> do the job.
Unfortunately, most of the dictionary attacks that we've been seeing
will open and attack multiple simultaneous connections. After a
single attempt, they'll drop the connection and reconnect.
The only way to mitigate the attacks is a long delay even on a single
authentication failure.
We can handle most of the load issue through our hardware
load-balancers, but ultimately it's the delay after auth failure that
is the only real limiting factor.
Ideally, Dovecot would allow finer control over its process forking
(specifically maximum simultaneous connections from a single IP,
maximum total connections and maximum authentication attempts before
disconnect), but I figured I'd probably be pushing my luck asking for
all of it at once. :)
Until those features are in place, larger sites have to just cross
their fingers and hope that the current rash of attacks will slow over time.
--
Dean Brooks
dean at iglou.com
More information about the dovecot
mailing list