Databases Reference
In-Depth Information
cause every single one of these accounts to be locked out within a matter of
minutes (even with a simple tool such as SQLdict).
4.4.2
Implementation options for DoS vulnerability:
Denying a connection instead of account lockout
There is an inherent problem here: the DoS attack uses precisely the same
scenario for which the account lockout was created. You can achieve a lot
by blocking and denying connection attempts rather than locking out an
account, especially if you can block a connection based on many parame-
ters rather than just the login name. This can usually only be done using
an external security system such as a database firewall. In this case a failed
login event has additional qualifiers other than the login name, such as
the IP address from which the request is coming. For example, the denial
rule shown in Figure 4.8 will deny all access after five failed login
attempts, but will do so only to requests coming from the client IP
address and going to the server IP address on which the failed login
attempts occurred. In this scenario, a hacker who tries to mount a DoS
attack will only succeed in making sure that all connection attempts from
his/her workstation are denied but will not cause any harm to legitimate
users (and their workstations).
4.5
Create and enforce password profiles
Continuing with the example profile from the previous section, some data-
bases allow you to enforce good password management practices using pass-
word profiles. You already saw how Oracle uses profiles to enforce account
lockout, but you can set additional limits per profile:
PASSWORD_LIFE_TIME
. Limits the number of days the same password
can be used for authentication
PASSWORD_REUSE_TIME
. Number of days before a password can be
reused
PASSWORD_REUSE_MAX
. Number of password changes required before
the current password can be reused
PASSWORD_GRACE_TIME
. Number of days after the grace period begins
during which a warning is issued and login is allowed
PASSWORD_VERIFY_FUNCTION
. Password complexity verification script
Search WWH ::
Custom Search