Pennywize is a complete system that will protect your valuable website from a range of abuses:
Password Traders - It is a reality that many members accounts are unfortunatly fradulently obtained and spread around on "password sharing" websites. This enables hundreds (or thousands) of users to log into your members area at the same time, from all over the world. Pennywize uses a number of methods to determine if an account has been compromised.
Concurrent Logins - Pennywize employs an algorithm to ensure that only one person can be logged in under an account at once. This stops multiple people all sharing the same account.
Dictionary Attacks - Hackers who are trying to get into your website will commonly try a list of thousands of statistically commonly used username and password combinations (for example bill : gates ). Pennywize monitors failed login attempts and will block IP addresses which repeatedly fail
Brute Force Attacks - Once a hacker has exhausted the dictionary attack, they will try a brute force attack which is a massive attack which involves simply trying hundreds and thousands of sequential password combinations. Pennywize once again detects these multiple failures and blocks them.
Content Leeching - Some valid members may abuse your website by using download managers to start multiple concurrent downloads of your content, thereby draining your websites resources and bandwidth. You can configure Pennywize to stop a member once they have reached a daily download limit.
Account Sharing - Similar to password trading, accounts may be shared between a small number of members. Pennywize employs geo-ip tracking to determine if logins are occuring from different countries, and can disable an account if a limit is reached.
In addition Pennywize provides an excellent audit trail of your members usage, and provides :
- complete details about all your members logins (dates, times, IP addresses)
- a complete statistical history of how much they downloaded
- whether their account was bocked, and why
- NEW a list of files your members downloaded, the time it took and the average download speed.
How does Pennywize stop these attacks?
Pennywize uses a number of technologies to stop attacks on your website.
Subnet Thresholds - If too many member logins are recorded from different subnets (a broader version of the IP address which generally represents the ISP or Network the member belongs to) the account is disabled
Countries Threshold - If too many logins are occuring from different countries, the account is disabled
Sessions Threshold - If an account is generating too many excessive session requests (a symptom of password sharing), the account is disabled
CAPTCHA - Captcha's are those "type the word you see in the graphic" type challenges which attempt to distinguish humans from computers. By turning on the CAPTCHA feature, the ability for hackers to deploy brute force and dictionary attacks on your sites are greatly diminshed.
Download Limits - simple per-day download limits can stop users leeching all of your content.
Sessions - Pennywize employs session based logins (cookies required) whch stops two or more people logging in under the same account at once.
Last Updated: Tuesday, June 16th 2009