Quote:
Originally posted by salsbury
tips from a guy who knows how to do this:
1) avoid any programs/scripts that attempt to "throttle" the crackers in real time. that is a sure path to doom. your server's connections will be so tied up with this throttling that nobody else will be able to get in.
2) don't use ipf - your CPU will be so busy checking each and every incoming packet that it will slow down the site for everyone else.
3) if you don't know how to do it, don't worry about it. just catch the guys who make it in. or assign good passwords.
|
I just wanted to respond to both Salsbury and pr0. Both have interesting points that I'd like to address.
Salsbury: your point about network connections is valid. However, we use UDP protocol which extremely low level and doesn't rely on a three-part handshake. Basically, we average response times of 0.01 - 0.05 seconds to our clients. And, since its UDP there is never any network backup or bottleneck. Also, we do deposit a local db of proxies we've caught on the client system, for fast reference.
pr0: your concern about non-standard port proxies has one problem with it: there are very few non-standard port proxies around. I found a list of proxies on your web site, it was a list of 2065. Our DB currently has between 50,000 - 100,000 open, abusable proxies that we refresh and remove old ones from on a daily basis. Now, I am not sure if all of your proxies are non-standard port or not, but let's assume they are.
You have a list of 2000, more or less. Let's do some math:
1) Our software will also block attempts from the same IP after X attempts (usually 5 or so). As a result, even if we don't detect your 2000 proxies then you will get about 10,000 attempts to crack a password. In the cracking world, this is not a lot.
2) Let's say you optimize your cracking effort and therefore use only 1 username (you've lowered the number of variables you need to guess at to 1 now). Our software also does username blocks after X attempts on a particular username (regardless of IP). So this optimization is now null.
So the bottom line is that since there are very few non-standard port proxies available to a cracker, attempting to crack a site protected with ProxyPass has very little chance for success. 10,000 attempts is VERY LOW, as most cracking requires 100,000s or millions of attempts before a username/pass is obtained. And that's if you concentrate on a single username!
And the most important thing is that your server doesn't handle and return a ton of authentication attempts, lowering the user load average greatly.
The cracker would be much better off to assemble a list of say, 10,000 proxies and attack another site that is not protected with proxypass.
I hope this helps,