PxG

cgiGeek,

We do not simply rely on our DB of open proxies. We actively search for open proxies during an attack, so that you receive denial of proxies in REAL-TIME, even though they are not in our DB yet. Of course, we analyze millions of hits per day between the proxypass and proxyguard products, so we have a very sizable database of open proxies.

We built this program because there is no commercial program out there right now to stop brute force attacks through proxies and because we felt there is room in the market for something that does. Our clients have all seen dramatically improved results, as you can tell by their testimonials and unprompted comments on this and other boards.

Of course, nothing is perfect and the Apache auth scheme sucks.
That's the core of the problem, you are right. But until Ibill, CCbill, and Epoch change their requirements (right now they require apache auth) there is very little alternative. Our program has built in "booby traps" too. I won't get into specifics, but under "heavy attacks" a mode is triggered in which responses are not given to proxy-ip requests. This frustrates bots and spins them into timeout/wait states... it's a little way of saying BACK OFF. This could potentially crash a botters server, etc.

And even if you used php/mysql, the potential is still there for brute forcing via proxies... it just won't take such a dangerous toll on your server (PHP is faster and has less overhead than apache auth schemes). But the physical attacks will still persist and passwords will be stolen.

Best Regards,

__________________
Kill Password Hackers Now!
Kill Hit-Botters Now!
_____________________________