Delaying responses to failed bind attempts
Configure PingDirectory server to delay the response to bind requests as a way of rate-limiting online password guessing attacks.
This can be done in two different ways:
-
The LDAP connection handler offers a
failed-bind-response-delay
configuration property. If this is set to a nonzero duration, then the server automatically delays the response to any failed bind attempt by the specified length of time. The server does not delay the response to successful bind attempts. -
The password policy offers a
failure-lockout-action
configuration property that can be used to indicate what action should be taken after too many failed authentication attempts, and one possible action is delaying the bind response. For more information, see This will be covered in more detail in the Failure lockout section in the discussion on password policies.
The option to delay bind responses in the connection handler was available before the corresponding option in the password policy. However, the latter option is the recommended approach because it also delays the response to the first successful bind following several failed attempts, which makes it more difficult for an attacker to use the delay to identify a failed attempt and to abort early without waiting for the full failure duration. You can also configure the password policy approach to work for non-LDAP clients.