RE: Likelihood of brute force attacks against web apps

["Bryan Murphy" <bryan () guardianlogic com>]

I commonly see issues in the datacenter I work in with people spamming the
comment functions on blog software.  It generally will continue until either
the resource usage raises attention or the server crashes.

I believe this would be a perfect candidate for the technology you mention. 

-> -----Original Message-----
-> From: Stephen de Vries [mailto:stephen () corsaire com] 
-> Sent: Tuesday, October 12, 2004 7:58 AM
-> To: 
-> webappsec@securityfocus.comwebappsec@securityfocus.comwebapps
-> ec () securityfocus com
-> Subject: Likelihood of brute force attacks against web apps
-> 
-> 
-> Hi list,
-> 
-> We frequently warn clients of the risks of brute force or 
-> automated attacks against their sites and recommend the use 
-> of CAPTCHA
-> (www.captcha.net) systems, or "secret questions" to mitigate 
-> this risk. 
->   For example:
-> 
-> - The registration process does not use captcha like systems 
-> and could allow attackers to use an automated script to 
-> generate thousands of fictitious users.  These users can 
-> then be used to perform transactions that could lead to 
-> financial loss (e.g. costs due to rejected credit card), or 
-> waste resources through database access (and wasted storage).
-> 
-> - The password reminder mechanism requires only the user's 
-> email address which is used to send them an email for 
-> resetting their password.  But since it requires no further 
-> auth from the user (such as an answer to a secret question), 
-> an attacker could enumerate all the valid email addresses 
-> registered to the site by writing a brute force script and 
-> using a database of email addresses (this may be 
-> particularly useful to a competitor).  Of course, if the 
-> email address is used as the username, this problem becomes 
-> more serious.
-> 
-> Although these risks are real - and I don't doubt they will 
-> be used in the future - I'm not aware of any attacks of this 
-> sort being  conducted in the past.  Is anyone aware of these 
-> types of attacks in real-world scenarios?  Do you think 
-> these pose a serious threat?
-> 
-> regards,
-> Stephen
-> 
-> 
->   
-> -------------------------------------------------------------
-> ---------
->   CONFIDENTIALITY: This e-mail and any files transmitted with it are
->   confidential and intended solely for the use of the 
-> recipient(s) only.
->   Any review, retransmission, dissemination or other use of, 
-> or taking
->   any action in reliance upon this information by persons or entities
->   other than the intended recipient(s) is prohibited. If you have
->   received this e-mail in error please notify the sender immediately
->   and destroy the material whether stored on a computer or otherwise.
->   
-> -------------------------------------------------------------
-> ---------
->   DISCLAIMER: Any views or opinions presented within this e-mail are
->   solely those of the author and do not necessarily represent those
->   of Corsaire Limited, unless otherwise specifically stated.
->   
-> -------------------------------------------------------------
-> ---------
-> 
-> 
-> 
->