[180268] in North American Network Operators' Group
Re: gmail security is a joke
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Fri May 29 21:33:01 2015
X-Original-To: nanog@nanog.org
Date: Fri, 29 May 2015 21:31:02 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.64.1505291226160.18776@whammy.cluebyfour.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, May 29, 2015 at 12:32:34PM -0400, Justin M. Streiner wrote:
> There are providers (banks, etc) who will disable an online account that
> has had X failed login attempts. While that's good for preventing
> $bad_guy from continuing to try to brute-force-guess the password,
> it creates a nominal DoS condition for the legitimate owner who then
> has to contact the provider and go through their password reset
> procedure.
This is why automatic lockout procedures are a problem for some
operations, particularly those which are known to create user account
names based on algorithms like "first initial + last name, truncated to
8 characters". It's not at all difficult to construct a list of valid
(or probably-valid) usernames at such sites, hit them all repeatedly
from distributed botnets (N-1 times from any one address, where N times
would trigger IP-based blocking methods) and thus effectively DoS a decent
fraction of the users.
---rsk
