On Tue, Jan 01, 2008 at 11:21:50PM +0000, Stephen Usher wrote: > Actually, a better method which would not inconvenience real users is > to have an accumalative delay, i.e. the first error has a 1 second > delay, the second 2 seconds, the third 4 seconds and so on. This > should tar-pit any brute force attack, at least until the script > kiddies just blast the server with a huge number of new connections to > do the job.
Unfortunately, most of the dictionary attacks that we've been seeing will open and attack multiple simultaneous connections. After a single attempt, they'll drop the connection and reconnect. The only way to mitigate the attacks is a long delay even on a single authentication failure. We can handle most of the load issue through our hardware load-balancers, but ultimately it's the delay after auth failure that is the only real limiting factor. Ideally, Dovecot would allow finer control over its process forking (specifically maximum simultaneous connections from a single IP, maximum total connections and maximum authentication attempts before disconnect), but I figured I'd probably be pushing my luck asking for all of it at once. :) Until those features are in place, larger sites have to just cross their fingers and hope that the current rash of attacks will slow over time. -- Dean Brooks [EMAIL PROTECTED]
