ZDoom

[enderkevin13]

Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?

[wildweasel]

Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?

Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.

[enderkevin13]

Wait, Laser Pineapple said on Skype that he couldn't access the site. Is he banned?

Have him take a screenshot of whatever error he's getting and send it to you, then PM that screenshot to Randi.

He sent the website errors to me. I screencapped the messages and the pictures he sent.

[Matt]

I wouldn't store anything security related in the cloud when everybody can immediately see that it's security related.

This.

I just got a too many failed login attempts again logging in now,* so I'd hate to see what would happen with an automatic lockdown. Am definitely for cooldown time though (even like 5 seconds on a first try).

*I've been getting these since people had been hijacking inactive accounts too, so I don't think there's any real pattern to this.

[Rachael]

What's worse is that I checked the phpbb community forums and other users have been reporting issues with brute force attacks for literally years, and the only feedback they have received is "enable captcha" and "add more Q&A questions" (where users are literally asking each other if their set of questions are fine).

Amazing that such shitty software is still so widely in use.
Honestly, the two best protections against brute-forcing are

a) increasing delays after a failed login
b) automatic account lockdown after a number of failed attempts - of course this could also be abused by the attacker to block all legitimate forum access.

Blocking all legitimate forum access can be countered.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).

If your machine happens to host an open proxy that the attacker uses - you're SOL. Secure your network.

[Graf Zahl]

(which would force the attacker to use less and less reliable proxies).

If it was that easy. What about TOR?

[wildweasel]

Blocking all legitimate forum access can be countered.
a) Automatically whitelist known "good" IP ranges to the account - this would be the IP range the account was created with, and was used most in the past 180 days of its most recent access.
b) Automatically blacklist known "bad" IP ranges to all accounts - this would be IP ranges that are known to be troublesome and have multiple failed login attempts. Any IP matching this range would a) Need to solve 2 CAPTCHAs (the SSG one which hopefully will be expanded) and an image one, and b) Have 5 maximum attempts on any account. Once it hits 5 failed logins, whether on single or multiple accounts, that IP is automatically banned for 3 hours (which would force the attacker to use less and less reliable proxies).

What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:

1. Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?
2. Why stop at only two captchas? Why not implement several and choose randomly between them on each failed attempt? Maybe one time it's the SSG question, maybe the next it's the "click on all the puppies hidden among these photographs of potatoes" one, maybe after that it's reCAPTCHA, etc etc.

(which would force the attacker to use less and less reliable proxies).

If it was that easy. What about TOR?

From what I've been told by other forums' moderators who have been dealing with the same guy, TOR is used quite frequently.

[Caligari87]

What I'd have to wonder - forgive me if I'm not particularly wise to the ways of networking as I'd like to be - is what happens in these instances:

1. Suppose I've accompanied my roommate to his mother's house on the coast for the weekend, which is a thing I don't do often enough for it to be considered a "known good" IP address. Alternatively, if I'm in town surfing from my phone, I have no idea what my phone's IP address is; I imagine it'd probably change between coverage zones or something like that. Would I get locked out of my account in that instance?

If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.

[Nevander]

For fricks sake again it's telling me max attempts. Why won't they give up?

[Rachael]

If implemented correctly, no. It doesn't block usage from the IP if you haven't used it, it soft-blocks the IP if it fails multiple logins. So you go to your roommate's mother's house and A) have an active login/cookies or B) log in successfully, it's added to the rolling list of good IPs with no interruption to your browsing experience.

Exactly correct.

The idea is to not punish legitimate users needlessly - only make it harder for certain troublesome IP ranges (since proxy scans usually go by IP range, anyway). Those IP ranges can still log in - they just have two challenges to solve from the get-go. It's annoying, sure, but it's better than completely blocking them. It won't do anything for bots except to slow them down - which really is kind of the idea when you're facing brute force attacks.

Login key cookies can bypass the IP ban. That means if you ticked "Keep me logged in" it will let you stay on that account.

If the account you are logging into has an IP whitelist (you successfully logged in to your own account repeatedly within the last 180 days, or registered from that IP), your IP will also be able to bypass the challenges.

If typing your password is a bit of a doozy and you hit the max login attempts, you should still be able to reset your password and log in that way. That won't stop any attacker who can compromise people's emails, but it goes a long way to ensuring most legitimate users will have access to their accounts no matter what.

[DnB-Freak]

This is weird, but when I brought my laptop to the work I got a message that I was banned when tried to login.
At home I tried again and it worked, was I banned or not, I got several 503 Errors on the next attempts at work.
Enhanced my password after this crazy moment.

[Accensus]

But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...

[enderkevin13]

But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...

Because they think that getting rid of ZDoom will make them better, even though they rely on us pretty much.

[Rachael]

But why ZDoom? Why this community? ZDoom is as neutral as you can get! There's not even a minor gain from all this...

Attention.

Some people get off on stuff like this. The attacker is probably really proud of this thread.

[randi]

Some people get off on stuff like this. The attacker is probably really proud of this thread.

Exactly. I should probably lock this thread so people stop talking about it and giving the attacker more reason to continue.