BIND 10 #391: Make it harder to do dictionary attacks for cmdctl.
BIND 10 Development
do-not-reply at isc.org
Mon Feb 20 15:45:28 UTC 2012
#391: Make it harder to do dictionary attacks for cmdctl.
-------------------------------------------+----------------------------
Reporter: zhanglikun | Owner:
Type: enhancement | Status: new
Priority: minor | Milestone:
Component: cmd-ctl | Resolution:
Keywords: | Sensitive: 0
Defect Severity: N/A | Sub-Project: DNS
Feature Depending on Ticket: | Estimated Difficulty: 0.0
Add Hours to Ticket: 0 | Total Hours: 0
Internal?: 0 |
-------------------------------------------+----------------------------
Changes (by shane):
* subproject: => DNS
* severity: => N/A
Comment:
This is not as easy as it would seem.
If we do it per-connection then an attacker can simply open another
connection without the delay. If we do it per-user then an attacker can
simply launch a DoS by connecting for a user with a lot of broken
passwords.
One way to do this might be to always add a 1 second delay for logins.
That would make pipelined commands unusable, so we could also add a
"whitelist", of successful IP/user combinations that don't have the delay,
perhaps for a period of time.
--
Ticket URL: <http://bind10.isc.org/ticket/391#comment:1>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list