Brute Force Attacks... What's Considered High?
 

I have a new pay site up... yesterday I had 110,000 attempts to hack into the members area.
I don't think this number is high enough to worry about yet, but what is? A million? 3 million? How high does it get? How many proxies can these fuckers set up, and how many are out there?

I'm not terribly worried about it at this point because I have fraud protection up... muliple ips downloading from the same user/pass get removed, but when I get more members this could get out of hand.... or if the number of brute force attacks increases exponnentially. lol

How many failed logins did you have yesterday? How many does it have to be before bothering to set it up software like proxypass?

It only takes 1 kiddy script hacker using a shit load of proxies to bring your server down to a slow crawl.

Once the hacker community finds out you don't have any brute force protection you are going to be a prime target.

The one day you awake to a $1,000.00 + bandwidth bill.

Just put something like http://www.stopthathacker.com on the site and sleep easier.

Hugs,
Danielle

Hmmm.... today it's just over a million.

Well fuck me gently with a wire brush.

Bandwidth? Who cares... it's just a text page, and if they get in the username/pass gets deleted at a certain level.

What worries me is the load on the server. No problems at all yet, but this could obviously become an issue.

Thank you.

Anyone with a brute forcer, a few proxies and DSL can do 30,000-60,000/hour without breaking a sweat. I think the answer to your question is: when it effects server performance.

SpaceAce

Would depend on your server configuration (processor, memory, etc) and what Apache maximum conections is set for (if you are running Apache). If the hackers are using up your max connects, your surfers can't get to your site.

If you want to test your server just go post password requests on all the hacker boards and sit back and see at what point your server slows or crashes.

Hugs,
Danielle

Yes, I'm totally shocked at the numbers here. These little hacking fuckers really know how to piss someone off. :ak47:

Also, the larger your password file the larger the server load. Every password attempt causes your password file to be loaded in to memory and parsed.

Hugs,
Danielle

DONT MAKE YOUR MEMBERS AREA Bruteforceable !!

This is the solution ...

Exemple :
Make http(s) form login not classical pop-up login
And use random image picker for people MUST enter
theirs user pass after this number image randomly picked

user =gfy
pass= test
the number on the image= 000000-999999
Click Here Enter here



and move you members area to random name

www.example.com/your member area daily random word/content.htm

if you dont move your private area to random name
your files can be BRUTE FORCEABLE

i mean this form login will not work if someone know your data files images where it is ..

www.exemple.com/members/1.jpg -> Can be always brute forcable

So you have to use random words for your files

sorry for bad english but this is the simple solution !!


And Never let Your users choose their pass let them use their e-mail and pass e-mailed them AlphaNumeric : GfY12Xrt

So crackers will never guess what kind of pass they will use for brute force ..