Allow real user to login while a brute-force attack is active (and is being slowed by throttling)

Question

Hypothetical scenario:

Let's say you have an attacker continuously attempt to log in to your website. After n attempts login throttling kicks in and the attacker is forced to wait an amount of time before their log in attempt is processed again. Since in this scenario we are talking about an automated attack, it is not smart enough to figure out that throttling is active and it keeps going on posting user/pass combos to the login form. Eventually the throttling timeout finishes and the attacker is able to post one more user/pass combo to the server which in turns activates the throttling for this user.

So this effectively creates a DoS situation for the real user because the automated attack makes sure that the login throttling is always active so that the real user can never log in.

How can this scenario be counteracted?

So far I have:

• Whitelisting IPs that have been known to have successful login attempts. This doesn't work if the real user is logging in from a previously unknown IP.
• Temporary blacklisting failed attempt IPs. This doesn't work if the attack is coming from different IPs.

Answer 1

1. Send Source-Quench upstream( aka ECN)
2. SAML (Security Assertions Markup Language)
3. Traceroute
4. Port Knocking & other "Two-factor" schemes
5. code to compare login packets -- iptables
6. Selinux/iptables-connmark
7. Connected to 6 above, "ip rule" (particularly mark & fwmark)
8. iptables-extensions: connlimit / hashlimit
9. CAPTCHA

Hint: see similar Can't Access Plesk Admin Because Of DOS Attack, Block IP Address Through SSH?

But defense in depth is critical.

Sincerely,

ArrowInTree