16

I had a problem presented today which I found quite interesting.

You have an application with a management panel. You know some of the accounts as they are standard. You want two things:

  • You want to prevent bruteforce attacks
  • You want to prevent a denial of service

At the moment, the user accounts were locked after 5 tries. Meaning you had to reset the password through email. This mitigates the chance of a successful bruteforce attack.

On the other hand the risk is that because there are some default accounts, that someone intentionally keeps sending bad passwords to keep disabling the accounts. This would result in a kind of denial of service for the administrative accounts.

My solution was to make the management panel only accessible through a VPN. So you would first need access to the VPN before you would be able to attempt a login into the panel.

But what if this is not an option, what can you do? (apart from continuously blocking IP's that perform bruteforce attacks)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • whitelist the admin's IPs? – schroeder Dec 19 '12 at 21:52
  • 1
    That wasn't really feasible because they might connect from home, where they don't have a static IP. – Lucas Kauffman Dec 20 '12 at 05:41
  • Nobody really spoke to the DDOS bullet, but there's a website that explains some common-sense measures [here](http://www.techrepublic.com/blog/security/ddos-attack-methods-and-how-to-prevent-or-mitigate-them/8523). – Dave Dec 20 '12 at 07:21
  • 1
    @user1440122 DDOS is pretty much a network-level attack, and there are other questions here. This question is only about account-DoS. – AviD Dec 20 '12 at 10:00

8 Answers8

12

For a simple solution I would say to implement an exponentially increasing delay per user per IP address.

Required delay between attempts 1 and 2 from IP a.b.c.d for user x: 1 seconds

...attempts 2 and 3: 2 seconds

...attempts 3 and 4: 4 seconds

...

...attempts 7 and 8: 1 minute 4 seconds

That way an adversary can't DoS access from an IP address or an individual user and you've pretty effectively mitigated brute force because the delay rapidly becomes unreasonable. Even if they have access to a large number of IP addresses, there likely wouldn't be enough to brute force the password keyspace, just some dictionary words.

This would allow for brute-forcing users with the same password, but if you're seeing that number of failed requests you should probably flag it anyway (in that a user with multiple bad attempts is probably not uncommon, but multiple users with bad attempts from the same IP address in rapid succession would be suspicious).

pdubs
  • 1,103
  • 6
  • 12
  • You can effectively DoS the account the same way. I love the increasing time out, but for static admin accounts, you can run in to the same problems as when you lock out the account. – schroeder Dec 19 '12 at 21:52
  • 1
    How would that DoS the account? It would have a long timeout from the malicious IP, but the real user would have a different IP or could switch to a different known-good IP. – pdubs Dec 19 '12 at 21:54
  • I misread your config - you require that the IP and user be logged in conjunction in order to increase the delay, which would not affect the real admin's login attempts. – schroeder Dec 19 '12 at 21:57
  • 3
    Less of a "timeout" than a "cooldown". I like this as well. You can consider making the cooldown internal; after 3 attempts, just don't actually check the login that was tried until the cooldown expires; immediately return saying "Too many attempts; you can try again in X seconds". This has the added advantage of fooling a naive crackbot, who would, seeing that they didn't get in, assume the password was bad and try another. That makes the number of passwords genuinely checked logarithmic to the number tried; the chance of success becomes extremely low. – KeithS Dec 19 '12 at 22:09
7

The correct way to do this is to use a rate limit per IP, and introduce a CAPTCHA on login for user accounts that have had a large number of invalid login attempts. The CAPTCHA doesn't need to be particularly strong, as it's mainly there to prevent non-targeted drive-by attacks. One of the benefits of this method is that it prevents both single-user many-password attacks and multi-user single-password attacks, without causing the DoS condition.

However, I would advise against indefinitely increasing timeouts. If an attacker is on the same network as the user, they may have the same publicly-facing IP address, allowing them to essentially time the user out forever by constantly sending bad login requests. This may be a rather obscure case for the large part, but consider university and school networks. Instead, the rate limiting would impose no delay on the first 2 failed attempts, 5 seconds on the 3rd attempt, 15 seconds on the 3rd, and 30s for all subsequent attempts.

One interesting case is a many-user single-password attack from a large number of source IPs, e.g. over Tor. This would likely defeat most of these mechanisms. One of the best ways I've seen to prevent such an attack scenario is to monitor the global failed login rate, and introduce site-wide rate limiting and CAPTCHAs when a large scale attack is detected.

For fixed admin accounts, it may well be worth having a separate login screen. This can be much more tightly monitored and controlled, and allows you to avoid problems with most drive-by attempts.

Another useful mechanism for increasing the cost of password guessing attempts is a client side proof-of-work function. I've seen these in use on a few sites, and I think they're pretty neat. Essentially the server sends a challenge value c, and the client must compute a salt value s such that the first n bits of sha1(c || s) are zero. The value of n can be tweaked in the same way an iteration count can be tweaked in a key-derivation algorithm. The client must compute a value of s (via brute force) that meets the criteria, and send it back to the server. The server can then trivially and inexpensively verify that s is correct. Implementation of this on the client side would normally be done in JavaScript. For legitimate users, this should pose no more than a one second delay on login, but for attackers who use their own systems to attempt thousands of passwords it increases the cost in terms of time and power consumption. Furthermore, in cases where a botnet or other malware is used as a platform for these password attempts, high CPU usage is more likely to alert the user to something being wrong with their machine.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • I disagree with almost every point here (I have no opinion on the proof-of-work, I've yet to analyze that, or see a thourough analysis, but it sounds interesting) - especially the CAPTCHA and rate-per-IP, for the reasons explained above - and yet I upvoted anyway, for the rational analysis on the drawbacks of those solutions. – AviD Dec 20 '12 at 10:07
6

For admin accounts, you were right, requiring a VPN is the right direction.
Better yet, require multi-factor authentication for admin users.

These are always good ideas.

That said, if for whatever reason it is not feasible, and you are stuck with regular public password logins, all is not lost.

Assuming your admin accounts are all subject to a strong password policy, direct brute force will take many, many, many, many, many tries. Attempting to brute force the password through your login form, over the internet, will take a very, very, very, very, very long time - and this will only be feasible if it is possible to run many login attempts in parallel, using many computers.
The key element here is speed.

So, the solution is to slow down the repeated login attempts, without actually stopping the real user (who is trying to login with the same account at the same time as the bruteforce is going on).
No, don't even think of trying CAPTCHA - while these do have some tiny effect, it is nowhere near enough to slow down the stream of attacks, by an order of magnitude (best bet is probably around 20% - not slow enough).

A much more effective (and simpler) solution, is rate limiting.
I.e. no more than 5 login attempts in a minute. Or 50. Or even 500.
This can also be seen as an automatically released lockout mechanism, with a very short time delay.
The math is still in your favor - you can cap it at any rate you want depending on your expected threats), and you can still leave leeway for the genuine user to login.

After several lockouts, you may want to implement longer lockouts per IP - but be careful with that approach, since IP addresses do not usually align with a specific user (either by shared IP, roaming IP, etc). So use that, if you must, but gently.

In addition, make sure you alert an administrator, after several lockouts, allowing further manual response.

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 1
    I do not get why a CAPTCHA has that little effect? Since a good CAPTCHA enforces through the requirement of a human, the login rate to something about one login per second per human..? – Angelo.Hannes Dec 20 '12 at 08:42
  • @Angelo.Hannes see my comment on [Everret's answer](http://security.stackexchange.com/questions/25667/bruteforce-vs-denial-of-service/25673#comment42031_25670), with links to full explanation. In short, even assuming the CAPTCHA does its job properly (that's more of a stretch of the imagination than a validated assumption) - it tries to enforce a human, not anything about the login rate (e.g. what about 1000 humans?). Besides, it is pretty trivial to break CAPTCHA, depending on how much resources you want to invest. Read those links. – AviD Dec 20 '12 at 10:03
5

Might I suggest a low tech solution? Don't have default accounts. Removing root and administrator on linux/windows is the first thing I do. I can't speak towards an unknown management panel, but this could be an option.

2

Continuously blocking IPs that perform bruteforce attacks is a perfectly good way to go about it. If your application logs the failed attempts into some standard location such as syslog, you can easily write a jail for fail2ban to automatically block offending IPs after a number of authentication failures.

mricon
  • 6,238
  • 22
  • 27
1

Those picture questions. You know, what word is in this picture... After failed attempt 3 you have to answer what word is in the picture to push your attempt to login through. This way you don't actually lock out the account, but you prevent an automated system from continuing to function by changing the input request.

If you're worried it can be OCR'd ask a question that has multiple answers with a bubble fill in (radio button) i.e. Make it a question a human would know, but no machine would know.

Which of the following rhyme with orange?

A) Washington B) Nothing C) Sasquatch etc...

Even combine them.

Last, use multi factor authentication. I log in to my StarCraft account (geek value just went up) using an iOS app to give me a token.

Everett
  • 1,506
  • 1
  • 12
  • 20
  • 2
    'CAPTCHA' is the word you are looking for. – schroeder Dec 19 '12 at 21:50
  • 1
    ... and CAPTCHA's have been empirically and categorically been proven to be broken and not solve the right problem. – AviD Dec 19 '12 at 22:00
  • @AviD - I did mention a modification... – Everett Dec 19 '12 at 22:33
  • @schroeder - Thanks, don't know why I was at a loss for words there... – Everett Dec 19 '12 at 22:34
  • No, that's still a form of CAPTCHA (or rather, an attempt at one). – AviD Dec 19 '12 at 22:35
  • @AviD - Not trying to be a pain, but is there any chance you could connect me with the proof of captcha being broken? I heard of theoretical possibilities, but didn't know there was a proof yet. Not calling you out, just the people I work with expect references. – Everett Dec 19 '12 at 22:37
  • Here are two of my answers on this site with explanations (and they link to others): [How does CAPTCHA mitigate DDoS attacks?](http://security.stackexchange.com/a/22930/33) and [Anyone using Asirra in production? Are there similar alternatives?](http://security.stackexchange.com/a/790/33) – AviD Dec 19 '12 at 22:41
1

A few things come to mind.

1) Don't use default administrative user names... ever. There is no reason for it. While security by obscurity isn't really secure, leaving your administrative usernames obvious is still making life easier for an attacker. If they don't know the admin username, they can't try to keep it locked.

2) Automatically authenticate the session from the e-mail to reset password/allow access. This allows an alternate approach to getting in without having to worry about the lockout. It is more tedious as it requires getting an e-mail to allow you in, but it works. Once in, changing the username again will effectively stop the attack.

3) IP Whitelist - this should always be an option, you could have it be whitelisted for a limited time if you wanted and could do it similarly to how #2 works, where the whitelist would be added when the e-mail link is clicked.

4) VPN as you mentioned will work, it's similar in principal to whitelisting an IP but would allow for dynamic IPs for a legit client. Depending on the context it might be kind of overkill since changing a username is still the easiest way to get around this kind of a DoS attack.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
0

You don't block a user only by his username, you block him by username+IP. This way the legitimate user won't be blocked. On the other hand, dos bot will have to switch IP and eventually whole bot farm IP range will be blocked.

cen
  • 275
  • 1
  • 3
  • 8