For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Implementing The Exponential Backoff Algorithm To Thwart Dictionary Attacks

Introduction Recently there was a forum post regarding using the exponential backoff algorithm to prevent or at the very least slow down dictionary attacks. A dictionary attack is when a perpetrato...
Published Nov 17, 2011
Version 1.0
adn
BIG-IP
code
news
tech tip
devnullNZ's avatar
devnullNZ
Icon for Nimbostratus rankNimbostratus
Jun 27, 2014
In the first iteration of the bit shift, it appears that tcl ends up trying to do a negative shift i.e. prev_attempts =0 so set new_lockout [expr (1 << ($prev_attempts -1))] evaluates to: expr (1 << (0-1)) which is classed as undefined, being a negative number. Should we be adding a rule to catch that prior to evaluating the expression?