Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

does this attack type have a name?


ghost's Avatar
0 0

so, on some sites, if you try to log in more than like 10x, it will not allow that user to logon anymore, from ANY ip.

which means, if you have a specific user name to target, you can spam 10 logins per hour and prevent them from logging in ever.

i thought it was pretty clever :P


ghost's Avatar
0 0

sounds like a DoS attack but on a differant level


ghost's Avatar
0 0

DigitalFire wrote: so, on some sites, if you try to log in more than like 10x, it will not allow that user to logon anymore, from ANY ip.

which means, if you have a specific user name to target, you can spam 10 logins per hour and prevent them from logging in ever.

i thought it was pretty clever :P

Well the act of continuously trying to login to an account is considered a form of brute force.

I am sure you know that. So did you mean to ask if there is a name to the situation which you described of denying such an attack?

edit: I know of a forum where the account is locked, for a period if time, if you get the login wrong after the 4th time.


ghost's Avatar
0 0

i don;t know if there's a name on it. It's just being really mean :P

But I know you can get programs that do this (saw one that did it with an e-gold account or something).

The attack will stop who ever your targeting from ever getting into their account. I would assume there is a name on it though.


ghost's Avatar
0 0

i guess DoS kinda of describes it, as it is denying service. but its still different.

oh and i am well aware of brute forcing, however this can be inputting the same wrong password 10x per hour. the intended result is to lock a user out of their account.

and yeah, its gotta have a name. if not, we should coin one. haha.

edit: and yeah, smartwumba thats what im talking about. if there was a user you didnt like on that forum, you could easily lock them out :happy:


ghost's Avatar
0 0

well then it would become a shit fest of locking each other out


ghost's Avatar
0 0

It is a type of Denial of Service. Account lockouts are common and are done to prevent brute force attacks.

From the wiki:

"A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include:

* flooding a network, thereby preventing legitimate network traffic;
* disrupting a server by sending more requests than it can possibly handle, thereby preventing access to a service;
* preventing a particular individual from accessing a service;
* disrupting service to a specific system or person.

Attacks can be directed at any network device, including attacks on routing devices and Web, electronic mail, or Domain Name System servers.

A DoS attack can be perpetrated in a number of ways. There are five basic types of attack:

  1. consumption of computational resources, such as bandwidth, disk space, or CPU time;
  2. disruption of configuration information, such as routing information;
  3. disruption of state information, such as unsolicited resetting of TCP sessions;
  4. disruption of physical network components.
  5. obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately."

Uber0n's Avatar
Member
0 0

I've never thought of that before - I must include this in the next version of my backdoor :D


Uber0n's Avatar
Member
0 0

lol @ lof :D

LoF sounds good though ^^


SySTeM's Avatar
-=[TheOutlaw]=-
20 0

This is a very old form of attack… in fact, ancient lol.

Hotmail used to lock you out of your account after a certain number of failed login attempts, not sure if it still does, but yea, me and wolfmankurd created a script to cURL the login and repeat the login process on an array of emails with fake passwords, usually something like "asdf1", which in turn, locked the entire array of users out. Was quite fun to be honest.


ghost's Avatar
0 0

system_meltdown wrote: This is a very old form of attack… in fact, ancient lol.

Hotmail used to lock you out of your account after a certain number of failed login attempts, not sure if it still does…

Yeah its old, and hotmail still does..there even was a application out there called "overloader" or something..that does it for you on a hotmail address.:)


ghost's Avatar
0 0

haha, sounds awesome!

i like LoF. i wonder if itll stick.

everybody use the term LoF as much as possible! haha.


ghost's Avatar
0 0

nice cL…ha


ghost's Avatar
0 0

Yeah, "Business Logic Flaws"

Jeremiah Grossman wrote a good paper on it, where one of the techniques were of what you are talking about.

jeremiahgrossman.blogspot.com/2007/09/business-logic-flaws-freshly-minted.html


ghost's Avatar
0 0

nights_shadow wrote: Yeah, "Business Logic Flaws"

Jeremiah Grossman wrote a good paper on it, where one of the techniques were of what you are talking about.

jeremiahgrossman.blogspot.com/2007/09/business-logic-flaws-freshly-minted.html

I agree