Re: Intel Corporation, Express 550F Switch unlimited password attempts]

[courcoul () CAMPUS QRO ITESM MX (Juan M. Courcoul)]

On Mon, 20 Mar 2000, Dustin D. Trammell wrote:
> David Schwartz wrote:
>
> >         As for whether breaking connections after a fixed number of tries is
> > a good idea, I don't believe it is. It's no harder to write a program to try 1000
> > passwords on one connection than it is to write one to try one password,
> > disconnect, and repeat. So how would that provide any protection against
> > brute force attacks?
>
> It doesn't, although it does increase the amount of time it takes for
> the brute force attack to be successful, which can be a deterring factor
> when you have, say, a slower network link and are forced to
> connect/disconnect for every password attempt.

I remember that in some older systems (VM/370 and VM/SP had this, I'm
almost certain), this type of deterrent was coupled with an exponential
backoff timer, so that after the first disconnect due to bad auth, it
would take say 10 seconds to allow a retry, the second time around it
would take 20 seconds, the third, 30 and so on up to some set limit like
5-10 minutes. After a short while it would become chronologically
unfeasible to try a brute-force password guessing stint on such a system,
or at least it gives the good guys more time to detect the attack and take
countermeasures before penetration. The timer would reset after the first
correct auth or after some adjustable period of time like an hour or so.

Naturally, this opens the door to another type of annoying DoS attack (do
this on root/admin/supervisor/whatever the head honcho is/ and watch the
aforementioned party tear hair out...), but at least the bad guys have it
tough too.

J. Courcoul                               courcoul () campus qro itesm mx
Servicios Computacionales                 Directo    (4) 238-3181
ITESM Campus Queretaro                    Secretaria (4) 238-3175
Queretaro, Qro. Mexico                    Sky (800) 723-4500 PIN 5597110