I commonly see issues in the datacenter I work in with people spamming the
comment functions on blog software. It generally will continue until either
the resource usage raises attention or the server crashes.
I believe this would be a perfect candidate for the technology you mention.
-> -----Original Message-----
-> From: Stephen de Vries [mailto:stephen@corsaire.com]
-> Sent: Tuesday, October 12, 2004 7:58 AM
-> To:
-> webappsec@securityfocus.comwebappsec@securityfocus.comwebapps
-> ec@securityfocus.com
-> Subject: Likelihood of brute force attacks against web apps
->
->
-> Hi list,
->
-> We frequently warn clients of the risks of brute force or
-> automated attacks against their sites and recommend the use
-> of CAPTCHA
-> (www.captcha.net) systems, or "secret questions" to mitigate
-> this risk.
-> For example:
->
-> - The registration process does not use captcha like systems
-> and could allow attackers to use an automated script to
-> generate thousands of fictitious users. These users can
-> then be used to perform transactions that could lead to
-> financial loss (e.g. costs due to rejected credit card), or
-> waste resources through database access (and wasted storage).
->
-> - The password reminder mechanism requires only the user's
-> email address which is used to send them an email for
-> resetting their password. But since it requires no further
-> auth from the user (such as an answer to a secret question),
-> an attacker could enumerate all the valid email addresses
-> registered to the site by writing a brute force script and
-> using a database of email addresses (this may be
-> particularly useful to a competitor). Of course, if the
-> email address is used as the username, this problem becomes
-> more serious.
->
-> Although these risks are real - and I don't doubt they will
-> be used in the future - I'm not aware of any attacks of this
-> sort being conducted in the past. Is anyone aware of these
-> types of attacks in real-world scenarios? Do you think
-> these pose a serious threat?
->
-> regards,
-> Stephen
->
->
->
-> -------------------------------------------------------------
-> ---------
-> CONFIDENTIALITY: This e-mail and any files transmitted with it are
-> confidential and intended solely for the use of the
-> recipient(s) only.
-> Any review, retransmission, dissemination or other use of,
-> or taking
-> any action in reliance upon this information by persons or entities
-> other than the intended recipient(s) is prohibited. If you have
-> received this e-mail in error please notify the sender immediately
-> and destroy the material whether stored on a computer or otherwise.
->
-> -------------------------------------------------------------
-> ---------
-> DISCLAIMER: Any views or opinions presented within this e-mail are
-> solely those of the author and do not necessarily represent those
-> of Corsaire Limited, unless otherwise specifically stated.
->
-> -------------------------------------------------------------
-> ---------
->
->
->
->
