How to Avoid Brute Force Attacks
Imagine burglars slipping into your home undetected while you sleep, with no alarm system alerting you to the fact that someone has just trespassed into your private protected space, intent on stealing as many of your prized possessions as possible. Now, imagine such an attack in the virtual environment of your computer network, where all your stored sensitive financial passwords and documents reside, and what you have is the 21st Century version of a home invasion known as a brute force attack (BFA).
Goal of the BFAs
While a BFA is one of the most common attacks against web applications, it’s also one that can wreak considerable havoc on your business network. It involves gaining access to user accounts by repeatedly taking a stab at a user’s password, one at a time or in a group. If the web application doesn’t have any protections in place against this type of attack, it’s possible for automated tools to submit thousands of password attempts within seconds or less, making it easy for an attacker to beat a password-based authentication system.
How BFAs are Executed
The are myriad approaches to cracking passwords. If the length of the password is known, every single combination of numbers, letters and symbols can be tried until a successful match is found. This can be a tedious process, especially as the length of the password increases (which is why long passwords are preferable to short ones). The alternative is to use a list of common words, also known as a dictionary attack. A dictionary attack will typically try all English words, with the option of adding numbers or doubling up the word as the potential password. This has far fewer combinations, but still has a high probability of finding the correct password.
Rather than trying many passwords against one user, another BFA method is to try one password against many usernames. This is known as a reverse brute force attack RBFAs. This technique is where most account lockout policies fail. RBFAs are less common since it’s often difficult for the attacker to compile a sufficiently large volume of usernames for the reverse attack.
There are a number of techniques for preventing BFAs. The first is to implement an account lockout policy. For example, after three failed login attempts, the account is locked out until an administrator unlocks it. The disadvantage of this method is that multiple accounts can be locked out by one malicious user, causing a denial of service for the victims and lots of work for the administrator.
A better, albeit more complicated technique is what’s known as progressive delays. With progressive delays, user accounts are locked out for a set period of time, after a few failed login attempts. The lockout time increases with each subsequent failed attempt. This prevents automated tools from performing a BFA and effectively makes it impractical to perform such an attack.
Another technique is to use a challenge-response test to prevent automated submissions of the login page. Tools such as the free reCAPTCHA can be used to require the user to enter a word or solve a simple math problem to ensure the user isn’t a robot. This technique is effective, but has accessibility concerns and affects usability of the site.
The Best Defense is a Strong Offense
Initially, it may appear useful to use a tool that automatically reads web logs and alerts an administrator if multiple attempts come from one IP address. However, it’s fairly simple for an attacker to use a variety of tools to automatically and regularly change his or her IP address.
Any web application should enforce the use of strong passwords. At a minimum, requiring users to choose passwords of eight letters or more with a degree of complexity (letters and numbers or requiring one special character), is an excellent defense against BFAs, especially when combined with other techniques discussed in this article.
To guard against BFAs, it’s important that your managed services provider be proactive and that its web application employs some or all of the preventative measures mentioned above. By implementing these techniques and creating a defensive force field around your network, you can rest assured that the most effective measures are in place, thus creating a robust environment of protection against this commonly invasive type of attack.