[Dshield] preventing brute force with spoof / proxied (Goldeneye etc.)

Frank Rizzo frankrizzocalled at hotmail.com
Wed May 22 00:06:33 GMT 2002

I'm getting hit a lot from someone trying to crack passwords to my private 
members area.

At first he was using something like w w w hack to flood the .htaccess with 
dictionaries login / password combinations. I got his IP straight away and 
his ISP toasted him.

But now he's using Goldeneye or an equivalent which sends his login attempts 
via proxy servers. My log files fill up everynight with 1000's of hits to 
the private area.

What I need is hard evidence of who he is. I guess the only way is to 
contact the proxy servers and ask them for the true IP of the dude. Is this 
correct? Are there anyother ways of identifying him?

When I am under attack I have a clever script which screws up his plans. The 
script constantly renames the .htaccess file every 30 seconds. What this 
does is opens the private members area to the world for a few seconds, then 
immediately shuts it. Anyone who has authenticated genuinely (my clients) 
will not notice anything out of the ordinary. But chummy, is going to get 
thousands of correct password hits fill up on his golden eye screen because 
he manages to get in through the 30 second window. But then those passwords 
as false positives. When he tries to enter manually he'll get booted out.

Does this sound a good idea? I'm tempted to run it 24/7. What about the 30 
second threshold? There is not much time to do anything in the site within 
30 seconds.

Chat with friends online, try MSN Messenger: http://messenger.msn.com

More information about the list mailing list