如何阻止暴力破解攻击

HackChecker

黑测工作室 - 专注于软件安全测试技术研究！(www.AutomationQA.com)

如何阻止暴力破解攻击（Brute-Force Attacks）

A common threat Web developers face is a password-guessing attack known as a brute-force
attack. A brute-force attack is an attempt to discover a password by
systematically trying every possible combination of letters, numbers,
and symbols until you discover the one correct combination that works.
If your Web site requires user authentication, you are a good target for
a brute-force attack.

An attacker can always discover a password through a brute-force
attack, but the downside is that it could take years to find it.
Depending on the password's length and complexity, there could be
trillions of possible combinations. To speed things up a bit, a
brute-force attack could start with dictionary words or slightly
modified dictionary words because most people will use those rather than
a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks. Brute-force attacks put user accounts at risk and flood your site with unnecessary traffic.

Hackers launch brute-force attacks using widely available tools that
utilize wordlists and smart rulesets to intelligently and automatically
guess user passwords. Although such attacks are easy to detect, they are
not so easy to prevent. For example, many HTTP brute-force tools can
relay requests through a list of open proxy servers. Because each
request appears to come from a different IP address, you cannot block
these attacks simply by blocking the IP address. To further complicate
things, some tools try a different username and password on each
attempt, so you cannot lock out a single account for failed password
attempts.