When a client with certain IP/port repeatedly fails to authenticate 5 times consecutively, reject all incoming login requests from the address for 5 minutes. Every failed afterwards doubles the timer.
If a client with certain address successfully authenticates, clear their address from the record of failed guess clients.
Depends on implemented password verification mechanism #15
Note:
what's stopping the attacker from repeatedly re-running a new instance of the client application to get a new port?
When a client with certain IP/port repeatedly fails to authenticate 5 times consecutively, reject all incoming login requests from the address for 5 minutes. Every failed afterwards doubles the timer.
If a client with certain address successfully authenticates, clear their address from the record of failed guess clients.
Depends on implemented password verification mechanism #15
Note: