[Dshield] preventing brute force with spoof / proxied (Goldeneye etc.)
frankrizzocalled at hotmail.com
Wed May 22 00:06:33 GMT 2002
I'm getting hit a lot from someone trying to crack passwords to my private
At first he was using something like w w w hack to flood the .htaccess with
dictionaries login / password combinations. I got his IP straight away and
his ISP toasted him.
But now he's using Goldeneye or an equivalent which sends his login attempts
via proxy servers. My log files fill up everynight with 1000's of hits to
the private area.
What I need is hard evidence of who he is. I guess the only way is to
contact the proxy servers and ask them for the true IP of the dude. Is this
correct? Are there anyother ways of identifying him?
When I am under attack I have a clever script which screws up his plans. The
script constantly renames the .htaccess file every 30 seconds. What this
does is opens the private members area to the world for a few seconds, then
immediately shuts it. Anyone who has authenticated genuinely (my clients)
will not notice anything out of the ordinary. But chummy, is going to get
thousands of correct password hits fill up on his golden eye screen because
he manages to get in through the 30 second window. But then those passwords
as false positives. When he tries to enter manually he'll get booted out.
Does this sound a good idea? I'm tempted to run it 24/7. What about the 30
second threshold? There is not much time to do anything in the site within
Chat with friends online, try MSN Messenger: http://messenger.msn.com
More information about the list