为什么在登录检查之前无法入睡(3)防止暴力破解? [英] Why can't sleep(3) before login check prevent brute force?

问题描述

在PHP登录脚本中，为什么此伪代码不能阻止暴力攻击?当然，给定足够的时间还是有可能的，但是强行使用暴力除了几个字符外根本没有用吗?

In a PHP login script, why wouldn't this pseudocode prevent a brute force attack? Of course it's still possible given enough time, but it's basically useless to brute force anything more than a few characters?

我不是在问制作登录脚本的最佳方法是什么-仅仅是sleep()是否是一种有效地大幅度地降低蛮力攻击成功机会的有效方法.

I'm not asking what the optimal way to make a login script is - just whether or not sleep() is an efficient way of drastically reducing the chance of success of brute force attacks.

<?php
sleep(2)

if($_POST['password'] == $passwordInDB)
    $loggedIn = true;
else {
   sleep(3) //slow down even more on failed attempts.
   echo "login failed";
}
....
?>

假设:

1. 这是一个普通的基本网站，需要无所不能"攻击防护.显然，拥有数百万用户的大型网站是完全不同的故事.
2. Apache的MaxRequestWorkers配置为例如100(默认值:256)
3. 服务器功能强大，足以处理100个同时请求.

我的脚本将花费5秒来完成失败的请求.

My script would spend 5 seconds to complete a failed request.

在这种情况下，攻击者难道每秒只能执行100 * 5/60 = 8.3个猜测吗?对于任何普通密码，哪一个完全没用?

Wouldn't the attacker only be able to perform 100*5/60 = 8.3 guesses per second in this case? Which is completely useless for any normal password?

推荐答案

sleep()的问题在于，Apache工作者线程在睡眠持续且无法终止时停滞，因此那100攻击者将不断阻止工作人员，合法用户无法登录该站点.攻击者仅需要每秒发出33次以上的请求，即可使您的站点无法处理其他登录请求.

The problem with sleep() is that the Apache worker threads get stalled while the sleep lasts and can't terminate so those 100 workers will be continuously held up by the attacker and legitimate users cannot log in to the site. The attacker only needs to make >33 requests/sec to make your site unable to process other login requests.

这篇关于为什么在登录检查之前无法入睡(3)防止暴力破解?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！