使用帳戶密碼進行驗證的登入方式廣泛應用於各種應用程式。 然而,攻擊者可能通過自動化腳本對應用程序進行暴力破解攻擊。 為了防止帳戶被惡意攻擊者破解並導致帳戶被接管,大多數應用程 式都採取了帳戶鎖定政策。然而,帳戶鎖定政策也可能被用於阻斷 服務攻擊,導致合法使用者無法訪問自己的帳戶。 現有的解鎖方式在面對持續的帳戶阻斷服務攻擊時往往無法有 效防範,甚至在 SSH 上也缺乏相關的解鎖方式。因此,需要一個解 決方案,既能讓使用者正常訪問帳戶,又能保護使用者免於帳戶被 反覆鎖定的風險。 在這篇論文中,我們提出 ALP 來保護系統避免同時受到密碼破 解和帳戶 DoS 攻擊。 ;Password-based authentication is widely used in various applications. However, attackers may use automated scripts to perform brute force attacks on these applications. To prevent accounts from being compromised by malicious attackers, most applications implement account lockout policies. However, these account lockout policies can also be exploited for Denial-of-Service attacks, preventing legitimate users from accessing their accounts. Existing unlock mechanisms are often ineffective against sustained account lockout attacks and are even absent for services like SSH. Therefore, a solution is needed that allows users to access their accounts normally while protecting them from the risk of repeated account lockouts. In this paper, we propose Account Lock Protector (ALP) to defend a system against password cracking and account DoS simultaneously.
