A recent comment on blogcfc.com encouraged me to modify the code that protects my application against brute force attacks. The following article recommends escalating the failed login delay based on the number of failed attempts. While this will not bother legitimate users, it will definitely annoy and possibly prevent the potential hacker (then again, do you really want to annoy hackers?)

The following code snippet implements the delay in ColdFusion.

<cfif [login successful...]>

<cfelse>
   <cfparam name="session.FailedLogin" default="0" >
   <cfset session.FailedLogin = session.FailedLogin+1>
   <cfset createObject("java", "java.lang.Thread").sleep(JavaCast("int", session.FailedLogin*500))>
</cfif>

Comments (2) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 1549 Views | Related Categories: ColdFusion, Security
Comments
[Add Comment]
Rich's Gravatar Seems like this could actually be used to bring your server down...if the hacker is able to subvert your session tracking by generating new cookies on each request, you could end up with a lot of sleeping threads.
# Posted By Rich | 3/12/07 9:53 AM
Shlomy Gantz's Gravatar good point ... maybe a way to mitigate that risk though not completely prevent it would be adding a "cap" on number of failed logins

<cfif session.FailedLogin GT 10>
<CFABORT>
</cfif>

While new sessions would be created, the thread will not be sleeping for eternity. The attack you are describing at that point would be more of a DoS attack.
Obviously, locking accounts after n failed attempts should be implemented as well.
# Posted By Shlomy Gantz | 3/12/07 11:33 AM
[Add Comment]
Powered by BlogCFC

HostMySite.com Web Hosting Provided by www.HostMySite.com

Aggregated by fullasagoog.com
[Valid RSS]

Add to Google