undefined | Better HN

0 pointsEGreg11y ago0 comments

I have never found a good solution to the trade-off of protection against brute-force vs availability.

If I disallow X requests per second then I might enable DOS attacks on a user.

What if a cluster of zombie machines around the world is attempting to log in as a politician to gmail at their publicly known address? How would the politician ever get in, if login attempts are rate limited?

0 comments

2 comments · 1 top-level

anaolykarpov11y ago· 1 in thread

the rate limit can be per username/per ip address/per time period (you receive one notification once every 10 minutes), or a combination. Yes, when you have a botnet of a few thousands computers you could DoS someone. But with that in hand you can also DoS every web service on the internet (with a few exceptions)

EGregOP11y ago

But sometimes DoSing an individual is more effective

j / k navigate · click thread line to collapse