What do you propose should trigger the alarm bells? A failed login? Pointless as there will be many legit failed logins, so the attack would be lost within the noise. Multiple failed logins? If they’ve a list of email addresses and passwords to try, they may only be making one attempt with each email address so that wouldn’t trigger. Multiple failed logins from a single IP? I image something like his is done through a botnet, so there will be many IPs. Plus, the bad guys know full well too many failures with x minutes will trigger alarms, so they keep their attempts slower to stay under the radar.
Also keep in mind, anything you do to detect and stop this kind of thing has to be balanced against not screwing over your own customers. It’s certainly not impossible to protect yourself from these things to a certain extent, but I think to suggest it’s simple is naïve.
Biting the hand that feeds IT
