Re: Intel Corporation, Express 550F Switch unlimited password attempts]

[dtrammell () CAUTECH COM (Dustin D. Trammell)]

Juan M. Courcoul wrote:

> > I remember that in some older systems (VM/370 and VM/SP had this, I'm
> > almost certain), this type of deterrent was coupled with an exponential
> > backoff timer, so that after the first disconnect due to bad auth, it
> > would take say 10 seconds to allow a retry, the second time around it
> > would take 20 seconds, the third, 30 and so on up to some set limit like
> > 5-10 minutes. After a short while it would become chronologically
> > unfeasible to try a brute-force password guessing stint on such a system,
> > or at least it gives the good guys more time to detect the attack and take
> > countermeasures before penetration. The timer would reset after the first
> > correct auth or after some adjustable period of time like an hour or so.
> >
> > Naturally, this opens the door to another type of annoying
> > DoS attack (do this on root/admin/supervisor/whatever the head honcho is/
> > and watch the aforementioned party tear hair out...), but at least the bad
> > guys have it tough too.

A better implementation of a deterrent like that would be to couple the
backoff timer for the attempted account name with the source address of
the connection.  Although you could theoretically use a distributed
attack to somewhat limit that restriction, the timer would start for
each account/source pair attempted and eventually stop the intruder's
attempts, while still leaving the authorized user of the account
unaffected (unless of course the authorized user connects from the same
host that the attacker is connecting from).  Anyhow, now we're getting
off topic into theoretical discussion.  Time to kill this thread? (:

--
Dustin D. Trammell
Information Security Analyst
CAU Technologies, Inc.