dictionary attack defense
Joseph Tam
jtam.home at gmail.com
Wed Oct 22 23:02:04 UTC 2014
Cliff Hayes writes:
> a) I read about auth_failure_delay even before I posted my question and
> I could not figure out the one-line explanation in the dovecot wiki:
> "Number of seconds to delay before replying to failed authentications."
> It's delaying a reply. Does that mean the hacker can keep asking as
> fast as he wants?
As Reindl states, authentication is a synchronous operation so the BFD
attacker must wait for a reply before continuing.
An attacker can get around this by running a botnet against you or opening
up many concurrent connections (I think the latter can be capped), but
I've rarely seen this. A botnet attack will defeat IP based blocking
anyways.
> Is it per user or per IP?
Irrelevant -- there is no tracking. It's simply pauses the reply to
bad auth attempts and tarpits the session.
auth_failure_delay does not block BFD attacks, but makes it infeasable
for reasonable strength passwords. It's simpler to implement, robust,
and fault tolerant (e.g. a user cannot accidentally lock themselves
out requiring administrative intervention to restore immediate access,
or repeated failures from a NAT'd network does not DoS everything within
the NAT'd network).
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list