Network Security: Detailed info on Re: Account Lockouts

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security SecProg

[Top] [All Lists]

Re: Account Lockouts

from [Valdis . Kletnieks] Network Security

[Permanent Link]

Subject:	Re: Account Lockouts
Date:	Mon, 06 Dec 2004 12:16:50 -0500

On Fri, 03 Dec 2004 17:19:44 EST, "David A. Wheeler" said:

* Don't lock out if the user logs in using the console
   and/or trusted IP addresses and/or "last IP address"
   Obviously, this opens you up to password guessing attacks
   if an attacker is in those IP address ranges, and a
   good attacker spoof an IP address too


Note that spoofing an IP address for a TCP connection *should* be
quite difficult if the server properly implements RFC1948:

1948 Defending Against Sequence Number Attacks. S. Bellovin. May 1996.
     (Format: TXT=13074 bytes) (Status: INFORMATIONAL)
http://www.ietf.org/rfc/rfc1948.txt

However, many vendors don't seem to get this as right as you'd expect,
as Michael Zalewski discovered:

http://alon.wox.org/tcpseq.html

And a year later, things hadn't universally improved:

http://lcamtuf.coredump.cx/newtcp/

pgpyAGV76wyiM.pgp
Description: PGP signature

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Account Lockouts, (continued) RE: Account Lockouts, Silcock, Stephen RE: Account Lockouts, Patrik Sternudd RE: Account Lockouts, Dean Saxe RE: Account Lockouts, Skander Ben Mansour RE: Account Lockouts, Martin Dion RE: Account Lockouts, Eric Coleman Re: Account Lockouts, Jason Coombs Re: Account Lockouts, Haroon Meer Re: Account Lockouts, Jason Coombs Re: Account Lockouts, David A. Wheeler Re: Account Lockouts, Valdis . Kletnieks <= Re: Account Lockouts, Michael Silk RE: Account Lockouts, David LeBlanc RE: Account Lockouts, Michael Wojcik RE: Account Lockouts, Cunningham, Andy RE: Account Lockouts, Jefferies, Darren

Previous by Date:	Web Application Security Consortium 'Guest Articles' Call for Papers, robert
Next by Date:	RE: Account Lockouts, David LeBlanc
Previous by Thread:	Re: Account Lockouts, David A. Wheeler
Next by Thread:	Re: Account Lockouts, Michael Silk
Indexes:	[Date] [Thread] [Top] [All Lists]