chfoo
commented
9 years ago A work-around is to use rate limiting, on admin URLs, using the web server if supported.
Open chfoo opened 9 years ago
chfoo
commented
9 years ago A work-around is to use rate limiting, on admin URLs, using the web server if supported.
The authentication code throws HTTP 401 but it doesn't stall or block the client. This makes it feasible for a brute force attack since the tracker is well capable of handling more than 15000 requests per minute.