4

While I realize that servers can easily detect brute forcing strategies via a single I.P, it seems that servers would be vulnerable to a distributed attack from a botnet, with each computer attempting a small portion of the password list at low frequency.

Is there an easily identified signature to these sorts of attacks?

MrSynAckSter
  • 2,020
  • 10
  • 16
  • 1
    You mean lots of attempts to one specific login, or to combinations of login/password? – woliveirajr Sep 11 '13 at 17:47
  • 1
    I would like to know about both, but I specifically meant login/pass combos, as I imagine this to be harder to detect. – MrSynAckSter Sep 11 '13 at 17:49
  • sorry, what I meant was against only one login, or against many different logins (even ones that don't exist)? But I already answered, I think – woliveirajr Sep 11 '13 at 17:55

2 Answers2

6

Low frequency against a specific login:

Monitor so that after x attempts over a specific login, one can only try it after x seconds / minutes.

Low frequency against a specific login, using CAPTCHA:

After x trials, begin to ask for a CAPTCHA, perhaps slow it down after x tries.

Just notice that slowing down some attempt by using delays is almost equivalent to enabling a DOS attack against that login. If someone tries to access your account, and fails, it'll end up adding a delay to your attempts, and you, the correct user, might get bored.

Low frequency against multiple logins:

If the overall load of your server increased, in a very detectable way, add CAPTCHAs. If it didn't, your unique alternative will be detecting how many failled attempts you have on your site, and again will have to use captcha. Or to add a small delay for all your logins, and that won't do any good to real users...

e-sushi
  • 1,296
  • 2
  • 14
  • 41
woliveirajr
  • 4,462
  • 2
  • 17
  • 26
0

There are some standard techniques to help with anti brute forcing - such as extending the delay between the server detecting a failed login attempt and presenting the failure message to the end user, and gradually making this delay longer if there is a period of high failure rate (and re-settting the delay following a period of low failure rate of course).

IN addition, one thing to look at might be patterns in the passwords being presented in failed logins. Brute forcing often does not choose random passwords, but auto-generates passwords from an algorithm that you may be able to predict or spot. Obviously, it'd be too convenient if you saw a pattern in failed logins with passwords of the pattern 'a', 'aa', 'ab', aab'..'ardvark'...'beast'.. and so on, or even following one of the many 'top 500 passwords not to use' lists that are easily available online, but there may be a discernible pattern anyway.

You could extend this to multiple usernames as well as just looking at one.

You may need to make a 'fuzzy' judgement.

David Scholefield
  • 1,824
  • 12
  • 21