Terry Moore <tmm%mcci.com@localhost> wrote:
>> Thank you for your continued explanation and patience.
> Thank you in turn for getting me to clarify my thoughts. (It's an
> interesting question -- how best to discourage these kinds of attacks.)
I'm a little surprised at the techniques.
I'd think that the right answer is, whenever it fails for any reason
at all, that it should perform sleep(base+rand()) before answering. One
could even time all of the various failures and adjust base to be the
average time it has failed, if one had a stable place outside of a single
process to store the running average.
It seems that the mechanisms used simply penalize legitimate users
with code that isn't optimized well.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr%sandelman.ca@localhost http://www.sandelman.ca/ | ruby on
rails [
Attachment:
pgpCKvqzEQApw.pgp
Description: PGP signature