ProxyPass is an Apache module that defends web sites against members-area attacks and violations. Designed to protect both single servers and load-balanced clusters, ProxyPass is the only enterprise-class solution that helps put an end to brute-force cracking and compromised account abuse. Our customers rely on ProxyPass to prevent the theft of protected content and to maintain rock-solid system stability during resource intensive attacks. And because of its highly optimized architecture and detection algorithms, ProxyPass can dramatically improve your Apache performance, member satisfaction, and total cost of server & content ownership.
Current implementations of basic authentication on Apache webservers (e.g. mod_auth, mod_auth_mysql, mod_authn_[file|dbd]) are vulnerable to brute-force password guessing attacks and compromised account sharing. These vulnerabilities often cause excessive server load when handling a high volumes of authentication requests. In addition to the lost income from stolen content and shared passwords, excessive server loads translate into an unresponsive customer experience (i.e. browser lag) and increased system administration and maintenance costs.
Cracking attacks often target common, or known-good, usernames (i.e. dictionary attacks) along with sheer brute-force combinations (e.g. aaa, aab, aac). Modern, automated cracking programs tunnel their username/password guesses through open proxy servers, cracked drone machines at their disposal, or 'friendly', collaborative cracker rings, all the while appearing as a different requesting address. Not only are these attacks especially damaging because of their automated, unrelenting nature, but also because the cracker's chance of a successful password breach increases proportionally with the number of unqiue IPs at their disposal. Simply put, more open proxies, larger cracking peer-to-peer networks, and more drone machines all mean better chance of success for the password cracker.
Managing legitimate account usage and bandwidth consumption poses additional challenges for the secure-content webmaster beyond that of an actual attack. Consider that a password has been broken in the past, an unscrupulous member has posted to a warez site, or a spyware/virus sniffer has snooped the user/pass combo for an unsuspecting account holder. In all such cases, the $$ lost to stolen content and increased bandwidth consumption can add up quickly. In addition, fly-by-night members who sign up for a secure account, rapidly download all content, and then cancel or charge-back their membership cause further bandwidth spikes and management headaches.
While theoretically better, more advanced authentication/authorization schemes (e.g. multifactor, hardware tokens) are constrained by practical migration difficulties: merchant and billing processors have large existing populations, webmasters are familiar with and already using basic authentication, infrastructure providers (i.e. hosting companies, software vendors) have standardized, personal privacy concerns play a role, etc. Application-level schemes that use HTML login forms or sessions -- INCLUDING those that prompt for additional credentials or captcha codes -- are still vulnerable to brute force attacks. More advanced encryption schemes can impose additional CPU/bandwidth requirements, requirements some high-volume websites may find constraining. And advanced authentication mechanisms still cannot address legitimate account sharing or bandwidth violations.
ProxyPass is a time-tested solution that helps stop brute-force cracking attacks, password sharing, and bandwidth usage violations without costly changes to your existing authentication framework. Please read more to learn about the ProxyPass solution.