Dec 17, 2015 - A Brute Force Attack simply uses the cryptography algorithm. ⢠hackers know that the password and user name are stored in a database.
Brute Force Attack Ahmad Karawash
12/17/2015
1
Definition A Brute Force attack is a method or an algorithm to determine a password or user name using an automatic process.
12/17/2015
2
Way of work • A Brute Force Attack simply uses the cryptography algorithm. • hackers know that the password and user name are stored in a database. • when we attempt to login and our page request is sent from the server to the client machine hackers are more active to access the account. • they attempt all possible combinations to unlock it. • There is a computer program that runs automatically to get the password. 12/17/2015
3
Role of key combination and length in the password
12/17/2015
4
Tool Hacking Example
12/17/2015
5
Real Hack Example: Wordpress
12/17/2015
6
Blocking of Brut force Attack • Locking Account • Delay the login process • Block the hacker IP • CAPTCHAs Code Use
12/17/2015
7
Locking Account • if a user attempts a wrong password many times then the user's account will be blocked for a given time of period. • Ex: outlook accounts are locked after a wrong password tries. • Drawbacks: • If an attacker attempts a Brute Force Attack on many accounts then a Denial of Services (DOS) problem emerges. • If a attackers want to lock an account then he continues to hit that account and the resultant admin is again locked from the account.
12/17/2015
8
Delay the login process • Increasing time delay for login to stop bruteforcing • Example: • Time_nanosleep(0, (50000000*$failed_attempts)); • More attempts a hacker uses to guess a password, more time does it take to check every time. After checking a 100 passwords he must wait 5 sec between each try.
• Drawback: • You should try not to use Sleep() because it uses CPU cycles, and if you have a brute force attack from 10,000 IP addresses you will fork 10,000 sleep() child process or threads, this will cause load on your server. 12/17/2015
9
Delay the login process • Drawbacks: • Haytham Douaihy, Senior software engineer at Sword Group: “You should try not to use Sleep() because it uses CPU cycles, and if you have a brute force attack from 10,000 IP addresses you will fork 10,000 sleep() child process or threads, this will cause load on your server”.
• There are a lot of companies developing protection tools based and benefit from the brute force strategy to sell there own protection softwares. Tools examples: Aircrack-ng, John the Ripper, Rainbow Crack, Cain and Abel, …etc
12/17/2015
10
Example Delay code, reduce the number of guessed login attempts possible by a hacker from thousands per minute down to only a few before the delay becomes so long as to make it a pointless exercise, after 20 failed login attempts the delay is 6 days! [HttpPost] public async Task Login(LoginViewModel viewModel, string returnUrl) { // incremental delay to prevent brute force attacks int incrementalDelay; if (HttpContext.Application[Request.UserHostAddress] != null) { // wait for delay if there is one incrementalDelay = (int)HttpContext.Application[Request.UserHostAddress]; await Task.Delay(incrementalDelay * 1000); }
{ incrementalDelay = (int)HttpContext.Application[Request.UserHostAddress] * 2; } HttpContext.Application[Request.UserHostAddress] = incrementalDelay; // return view with error ModelState.AddModelError("", "The user name or password provided is incorrect."); return View();
} // login success
if (!ModelState.IsValid) return View();
// reset incremental delay on successful login if (HttpContext.Application[Request.UserHostAddress] != null) { HttpContext.Application.Remove(Request.UserHostAddress); }
// authenticate user var user = _userService.Authenticate(viewModel.Username, viewModel.Password); if (user == null) { // login failed // increment the delay on failed login attempts if (HttpContext.Application[Request.UserHostAddress] == null) { incrementalDelay = 1; } else
12/17/2015
// set authentication cookie _formsAuthenticationService.SetAuthCookie( user.Username, viewModel.KeepMeLoggedIn, null); // redirect to returnUrl return Redirect(returnUrl); }
11
Block the hacker IP • Simply block the IP address where the brute force attack comes. • Some companies avoid to use this way because sometimes a user might forget his password and tries to login several times. But the result is that the server deal with him as a hacker and blocks his IP. • Code Example: Function block_ip($ip){ $deny = array(“$ip”); If(in array ($_SERVER[‘REMOTE_ADDR’], $deny)){ Header(“HTTP/1.1 403 Forbidden”); Exit(); }
} 12/17/2015
12
CAPTCHAs Code Use • A CAPTCHA code is a technique by which we recognize a computer or a human, by making some questions or images or numbers, the answer of which is not submitted by the computer automatically. • Most of the companies prefer this strategy to avoid bruteforce attacks and avoid overwhelmed use of sleep() method that effect server performance negatively.
12/17/2015
13
Recommendations • Based on the research I have done and based on my security experience, I recommend not to use the delay strategy but the Captchas one. • Sometimes you find the server weak, this because there are a lot of brute force attacks and the servers CPU have to run a big number of sleep(); functions.
12/17/2015
14
Recommendations • Also, technically you can not avoid thousands of Login tries by delaying the repeated ones from single IP that is because using cloud nowadays hackers have the facilities to use thousands of virtual IPs. • So if you publish your application on local server, its CPU is fully loaded by sleep(); calls. • And if you publish your application on the cloud, you might pay more money.
12/17/2015
15
Recommendations • [How to Stay in Control of Cloud Sites Resource Costs Overages by Jereme Hancock | Aug 28, 2015 |]: “Brute force attacks against unprotect contact forms or logins. Malicious attacks often target login and contact forms in order to penetrate a site. Repeated, constant attacks on unprotected sites drive up compute cycles as the infrastructure processes each attempt. Many plugins are available to provide contact form and login protection and can mitigate the processing of illegitimate traffic. Captchas are very popular for addressing this threat”.
12/17/2015
16
