User authentication mechanisms such as SRP are already resistant to brute force attacks where an attacker cycles through many different passwords in an attempt to login to a user account. However, a brute force attack will always succeed given a long enough period in which to sustain the attack. It is thus important that attackers are given limited windows of opportunity in which to conduct a brute force attack.
At present, it appears that Firebird allows a user an unlimited number of failed login attempts and without reporting a possible brute force attack. The only mitigation to brute force attacks appears to be an eight second delay inserted after every fourth failed login (see src/remote/server/server.cpp in the Firebird source tree). This still allows an attacker to cycle through 60/8 * 4 * 60 * 24 = 43200 failed logins per day. That is after only four days or so an attacker could cycle through all 171,476 words in the Oxford English Dictionary.
Given that Firebird does not enforce any rules for password selection, the tendency for users to select common passwords, the availability of dictionaries of well used passwords and the lack of any alert sent to a DBA to warn about an attack, it probably will not take many days to break a Firebird user's password and without anyone being aware that this has been done.
There is a need both to log failed login attempts, so that a System Administrator is aware of a possible attack, and to rate limit login attempts in order to frustrate the attacker.
has reported the need to record failed login attempts in a suitable log file.
Additionally, Firebird should also implement some form of advanced rate limiting to restrict the rate of failed login attempts for a given user. This might be by:
* Inserting a delay time between receiving a failed login request and reporting the failure to the client.
* An exponential increase in the delay time for each successive failed login between receiving a failed login request for a given user and reporting the failure to the client.
* Rate limiting the total number of failed login attempts for each user from a given remote system during a given period to a configurable number.