[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Distributed ppolicy state

To: Volker.Lendecke@SerNet.DE
Subject: Re: Distributed ppolicy state
From: Howard Chu <hyc@symas.com>
Date: Fri, 23 Oct 2009 15:17:23 -0700
Cc: openldap-devel@openldap.org
In-reply-to: <E1N1Rwf-0047Qy-JX@intern.SerNet.DE>
References: <4AE00D64.7030709@symas.com> <e021c7c00910220734r66d8294k5130d205274eb2f2@mail.gmail.com> <4AE21CFC.4050509@symas.com> <E1N1Rwf-0047Qy-JX@intern.SerNet.DE>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1.5pre) Gecko/20091012 SeaMonkey/2.0a1pre Firefox/3.0.3

Volker Lendecke wrote:

On Fri, Oct 23, 2009 at 02:15:40PM -0700, Howard Chu wrote:

I'm not sure you're trying to solve the right problem yet. I'm pretty
unconvinced that account lockout is a good solution to anything, in
general. That's why I added login rate control to the latest ppolicy draft,
where the DSA simply starts inserting delays before responding to failed
authc attempts. As I see it, rate control can be managed completely within
a single DSA and no state ever needs to be replicated outward on any
particular schedule. But at the moment I haven't yet thought about how well
this will work in all the possible deployment scenarios.

So once again, what's important here is to analyze what are the types of
attacks we expect to see, and how particular defense strategies will
behave, and how effectively they will fend off those attacks. Until you've
outlined the problems, you don't have any framework for designing the
solution.


Just a quick comment: The way we understand NT4 is that the
failed attempts are counted locally and only the lockout is
replicated. This reduces the load a lot.

That's correct. But it also means that in an environment with M DSAs and Nfailures before lockout, an attacker can potentially get NxM attempts beforebeing stopped. With a count/lockout-only strategy the attacker can reach NxMin a fairly small amount of time, long before any system-wide IDS can react.

In many installations this is unacceptable.

Again, this is why IMO delaying failed login attempts is a better defense -limiting the number of attempts an attacker can launch limits the attacker'soverall effectiveness. Simple lockouts allow an attacker to quickly plow thruone account and immediately move on to the next; they don't impede an attackerat all. (This is also the same strategy I use in anti-spam filters on SMTPservers - delay the server's response to mail coming from a blacklistedserver, rather than rejecting it immediately, and you have effectively slowedthe propagation rate of spam on the network.)


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Distributed ppolicy state
  - From: Howard Chu <hyc@symas.com>
- Re: Distributed ppolicy state
  - From: "Brett @Google" <brett.maxfield@gmail.com>
- Re: Distributed ppolicy state
  - From: Howard Chu <hyc@symas.com>
- Re: Distributed ppolicy state
  - From: Volker Lendecke <Volker.Lendecke@SerNet.DE>

Prev by Date: Re: Distributed ppolicy state
Next by Date: todo items, still some are available?
Index(es):
- Chronological
- Thread