Brute force attacks and how to defend against them

Brute force attacks are one of the most common techniques used to gain access to a network. Essentially a game of trial and error, they try each possibility systematically in a predetermined sequence, such as alphanumerical, until an access route is found. They are brutal, forceful, and unstinting – so how can security teams stop attacks in their tracks and defend against them in the future?

Brute force attacks

Firstly, let’s look at the characteristics of an attack. There are two types of brute force attack: online and offline. Online is the more common attack type, and usually consists of hackers trying to discover a usable password through an online resource or service, such as an e-mail service. Offline brute force attacks, on the other hand, typically involve trying to decrypt a file (such as a UNIX password file). This explains why they are less common as they require having physical possession of the file in the first place.

Brute force attacks are second only to denial of service attacks, amounting to approximately 25 per cent of all attacks, according to a 2015 McAfee Security Report. WordPress sites are common victims of such attacks as hackers are able to gain control of the publishing platform and then utilise it for malicious purposes.

In the vast majority of cases, the motive behind brute force attacks is to gain privileged access to restricted data, applications, or resources. However, a successful brute force attack can also become a stepping-stone or pivot point for further attacks. For example, by brute forcing access to point A, it might then be possible to launch subsequent exploits (perhaps of a different type) to get to points B-Z. A hacker may also launch a brute force attack to install something such as a rootkit, add a new bot to a botnet, create a command and control centre for a botnet, or simply steal money or sensitive information, such as credit card numbers or banking credentials, for financial gain.

Unfortunately, there isn’t one, simple, straightforward clue that signals when a brute force attack is happening. However, there some useful indicators to look out for, such as a string of failed log-ins from the same IP address. However, if the attacker is using a botnet, IP addresses can vary, so it’s important to be able to recognise other clues:

  • Logins with multiple username attempts emerging from the same IP address
  • Logins for a single account coming from many different IP addresses
  • Excessive bandwidth consumption over the course of a single session
  • Failed login attempts from alphabetically sequential usernames or passwords
  • A referring URL drawn from someone's mail or IRC client
  • A referring URL that contains the username and password in this format: http://user:password@www.example.com/login.htm
  • A referring URL drawn from known password-sharing websites
  • Failed login attempts that include passwords commonly used by users and hackers alike (123456, password, qwerty, pwnyou, etc.)

So how can you defend yourself?

There are a variety of ways to fend off such attacks, such as locking the account after a fixed number of failed attempts. Apple’s failure to implement this initially in its iCloud service led to the successful brute force hacks and mass distribution of embarrassing celebrity photos back in 2014. Delaying the response time is also a good defence technique. The more time between permitted password attempts, the more slowly a brute force attack will proceed, and the more time is available for sysadmins to discover that an attack is underway. Additionally, IP address should be locked-out if the number of failed attempts from the given IP address exceeds a maximum predefined number. Unfortunately, if the attacker is using a botnet, this approach will be inadequate, due to the many different IP addresses used in bots.

Based on the key indicators listed above, tools such as OSSEC can sometimes detect that a brute force attack is underway and take direct action to block it, notify administrators of it, or both. Brute force site scanners can also be used to go through site logs looking for signs that a brute force exploit has recently been attempted. While the horse may be out of the barn in such a case, it’s still worthwhile to know that it happened, so that effective measures can be implemented to prevent a recurrence.

Unfortunately for us, brute force attacks aren’t going away anytime soon. Put simply, the more computational power you have, the faster and more successful a brute force attack can be. And in today’s world of botnets, not to mention scalable grid and cloud architectures, computational power is relatively cheap and easy to access. We may even soon see artificial intelligence being used to simplify and prioritise the brute force process by focusing on the most promising possibilities first. Rather than rendering them insignificant, today’s computing landscape gives brute force attacks the means to become both more prevalent and more effective. To stay ahead of the latest attacks, security professionals will have to stay on their toes.

Garrett Gross, Senior Manager, Solutions Architecture at AlienVault