There is several ways to defend against this attack and the most common one is to display a kaptcha for each login or registration. Sadly, this is a real pain for members because they have to try to type out the kaptcha and often end up failing. Why should paying customers suffer because of a few hackers? In the end, this causes more support requests or people just give up and go away. A far better solution is one that I just implemented that I'm proud of (so I'll talk about it here. heh). I'm sure I'm not not the first person to do this, but the implementation seems pretty rare because I haven't seen many websites doing it this way.
The solution involved creating a simple @Session bean to store state in memory on each of the servers in the cluster. I could use the clustered cache, but so far I haven't seen a need for the overhead of doing that. Using a ConcurrentHashMap, I store the zone the IP address was seen in (optional), IP address, first access time, last access time and a counter. Then, I apply some fairly simple logic to the stored information:
- if someone fails more than 3 times, they are shown the kaptcha.
- if someone fails for more than 1 minute, they are shown the kaptcha.
- if someone fails because they aren't doing things correctly, they are shown the kaptcha.
The first two options have the benefit of allowing people to screw up a couple times before they are required to pay the kaptcha tax. The third option is more like an immediate red listing. I use that when someone tries to send clearly invalid data to our servers.
Right now, I'm watching the logs and things are pretty promising. I'm a bit surprised at how many IP addresses are being red listed, but I think it will decrease with time as the 'hackers' realize that their tricks won't work with us.