dictionary attack defense

Joseph Tam jtam.home at gmail.com
Wed Oct 22 23:02:04 UTC 2014

Cliff Hayes writes:

> a) I read about auth_failure_delay even before I posted my question and
> I could not figure out the one-line explanation in the dovecot wiki:
> "Number of seconds to delay before replying to failed authentications."
>  It's delaying a reply.  Does that mean the hacker can keep asking as
> fast as he wants?

As Reindl states, authentication is a synchronous operation so the BFD
attacker must wait for a reply before continuing.

An attacker can get around this by running a botnet against you or opening
up many concurrent connections (I think the latter can be capped), but
I've rarely seen this.  A botnet attack will defeat IP based blocking

> Is it per user or per IP?

Irrelevant -- there is no tracking.  It's simply pauses the reply to
bad auth attempts and tarpits the session.

auth_failure_delay does not block BFD attacks, but makes it infeasable
for reasonable strength passwords.  It's simpler to implement, robust,
and fault tolerant (e.g. a user cannot accidentally lock themselves
out requiring administrative intervention to restore immediate access,
or repeated failures from a NAT'd network does not DoS everything within
the NAT'd network).

Joseph Tam <jtam.home at gmail.com>

More information about the dovecot mailing list