Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Why do you have to worry about Brute Force Attacks?

by Anonymous Monk
on Sep 26, 2006 at 22:10 UTC ( [id://575032]=perlquestion: print w/replies, xml ) Need Help??

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello,

As a beginner programmer, I'm wondering why some sites program their web applications to prevent brute force attacking. For example, if you fail logging in with a wrong password for a user 5 times, then it will automatically lock that user account for 15 minutes.

I just don't see why its necessary. For example, to brute force a actual password may take up to 20,000+ attempts or even more depending on the password. I never actually tried to brute force anything. My guess to build a brute force script is to obtain a brute force dictionary, know how to utilize it so that it creates password after password, and then use the generated password in some automative LWP script to log-in a particular password protected site. This could be way off or may be on the right track. Anyways back to the 20,000+ attempts. What kind of web server will actually allow a IP to "keep calling the same script 20,000+ times to brute force?" Or am I wrong about this?

Also, most hackers out there will probably want another method other then brute forcing and brute forcing may become less and less popular when it comes to stealing a "web application's users password."

My site is not huge, but it is a membership site where subscribers have to pay monthly. I have about 60 subscribers now and wondering if I should build that "password locking" feature to prevent brute force attacks? Is this necessary? Are there any other reasons why people build that password locking feature? I know some will say if my site is not that important, then it may not be necessary. But I guess I'm just curiuos and would like to know if I was to work in future projects.

Cheers,
Gerald
  • Comment on Why do you have to worry about Brute Force Attacks?

Replies are listed 'Best First'.
Re: Why do you have to worry about Brute Force Attacks?
by blue_cowdawg (Monsignor) on Sep 26, 2006 at 23:39 UTC

    Humph... let me just comment on this, this way. I live in a subdivision. My neighbors are all good folks who I would never expect to walk into my house and take things from me, but just the same I lock my front door when I leave the house for anything more than say 5 minutes.

    Likewise I close and lock my windows.

    I also have eight dogs in my house. Three of which I'm sure would do an intruder lots of harm if they were to be in the house with nefarious intent.

    Never-the-less, if someone really wanted to break into my house and take things of mine none of this would truly deter them.

    So... why bother? With all of this why not just leave the door unlocked, the windows open and unlocked and crate up the dogs?

    (Please note: the dogs aren't in my home for the primary purpose of being a theft deterrent. It's just a perk of having dogs.)

    You take reasonable precautions to safeguard your security and personal safety because it is a reasonable thing to do. In a sense, you are "raising the bar " to make nefarious actions on some ne'er-do-well's part less attractive to them. If they have to pick a lock to get in (or smash a window) and then face the wrath of my pack of dogs and if by some unfortunate series of bad luck on their part I happen to be home at the time my wrath then maybe it ain't worth it. I don't have objects of art worth tens of thousands of dollars and theives tend not to be interested in boosting the average homeowner's stuff with that kind of risk.

    On the other hand, there is a such thing as going to far. One of my neighbors in this very quiet subdivision had a Rhottweiler that he told the whole neighborhood was a trained and vicious attack dog (it wasn't... in fact the dog wanted to come live with me.. but that's a story for another time), had security bars on windows, and a high tech state of the art alarm system with panic buttons around the kid's necks (!) that called in to a central monitoring station.

    All that effort made the whole neighborhood wonder what in the world he was trying to protect. Someone in law enforcement that I know told me that a few folks in the law enforcement community wondered just what this guy was up to that he needed so much security.

    So by being too conspicuous about security is apt to call unwanted attention to yourelf as well.


    So what's the point?

    Having said all that, when analyzing what security measures you need to take for an application (or your home or whatever) you want to examine the following at the very least:

    • What is the threat? Who or what are you protecting yourself against?
    • What is at risk? What are you trying to protect?

    If you are protecting a club's events calendar you want to use just enough security to make sure that only folks authorized to view it and/or modify it can do so. For this type of application I'm not going to get crazy about doing intrusion detection, brute force attack detection/remediation or any of that fancy stuff.

    Where would I use it?

    How about in cases where the data I'm protecting involves large amounts (or even not so large) amounts of money such as in investment portfolio data. Cases where medical patient data must be protected against HIPAA violations.

    Certainly where the data involves national security I would be looking to lock that down thoroughly.

    So, your milage is going to vary...


    Peter L. Berghold -- Unix Professional
    Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
      All very good points.

      Though the thing that stands out the most is "I also have eight dogs in my house"

      I can't imagine. I used to have three dogs (and some other mammals/reptiles) and I thought that was a lot. You must go through a ton of chow.

      -Lee
      "To be civilized is to deny one's nature."
            You must go through a ton of chow.

        We do. But we buy from a feed store rather than a grocery store and get good quality feed. The better stuff actually goes further since it has fewer "fillers" and empty calories. All eight dogs are rescues and out of that eight, four of them are active in some sort of canine performance activity. Three of them are agility dogs and one does competitive obedience. Another dog is a retired agility dog.


        Peter L. Berghold -- Unix Professional
        Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
Re: Why do you have to worry about Brute Force Attacks?
by jasonk (Parson) on Sep 26, 2006 at 22:45 UTC

    The web server will quite happily let an IP call the same script 20,000 (or 20,000,000) times, as it doesn't have any way of telling the difference between a brute force attack and an application that just gets a lot of use. This is why the locking logic is built into the application, the application is the only point that knows the difference between a legitimate request and an invalid login attempt.


    We're not surrounded, we're in a target-rich environment!
Re: Why do you have to worry about Brute Force Attacks?
by kwaping (Priest) on Sep 26, 2006 at 23:17 UTC
    Let me counter with this question: Why would any legitimate user need more than X attempts within N minutes to log in? If they know their password, one attempt should be enough. If they don't, there's always the "forgot password" link that all good sites (should) have. A few attempts should be given in leeway for those like me who have many passwords and bad memories, or for those who have issues with typos.

    If you don't want to do it without good reason, then I recommend you keep a sharp eye on your HTTPD logs. Of course, by the time you recognize there is an issue, the attacker may have already succeeded. Which brings us back to the "why not just do it" argument.

    ---
    It's all fine and dandy until someone has to look at the code.
      If they don't, there's always the "forgot password" link that all good sites (should) have.

      So now, instead of cracking a secure password, all the bad guys (or your nosey neighbours) have to do is find out your dog's name, mother's maiden name, or some other easy to learn (or guess) response?

      I think those links are handy. I don't pretend any system "protected" by them is secure. They're like a locked front door with the key hidden under the doormat by the back entrance; not as secure as they really appear.

        Err most of the ones i've used email you the new password after checking the right answer. So they would have to know your dogs name and have access to your email.


        ___________
        Eric Hodges
Re: Why do you have to worry about Brute Force Attacks?
by pileofrogs (Priest) on Sep 26, 2006 at 23:52 UTC

    On the other hand...

    Be aware that attackers can use the lockout feature to cause a denial of service attack. If I don't like you, I can just set up a script that fails to log in as you over and over again, and you'll just be locked out all the time.

    Having the lockout only last 15 minutes is good, but still vulnerable. One of the systems where I work actually disables your account after X failed logins and we have to call an admin to get re-activated. Very very bad...

    You have to decide which is worse the vulnerability of letting someone try 20,000 logins or the vulnerability of making it easy to lock your users out.

      Be aware that attackers can use the lockout feature to cause a denial of service attack.
      This is why I think it's better to make the system slow down instead of just barring access. After one unsuccessful login, make them wait a second before trying again. After two, make them wait three seconds. After another, nine seconds, and so on. This prevents brute-force attacks by making them time-prohibitive while not noticeably slowing down a legitimate user who can't remember which of his three passwords he used for your service.

      Take a look at Tie::Scalar::Decay for an easy way of implementing it. I suggest putting Tie::Scalar::Decay values into a hash which is keyed by the IP address from which the login attempts are coming, and the username they're trying to authenticate as.

      That is a good point. Does anyone know how some of the big websites like say Amazon or Yahoo deal with this? I'm inclined to say that if there are privacy concerns that it would be better to beef up security and try to figure out ways to deal with the DDOS attacks.
      the solution to this is for both the id and password to be secret
Re: Why do you have to worry about Brute Force Attacks?
by ikegami (Patriarch) on Sep 27, 2006 at 00:43 UTC

    A very important step in a security system is response. Without it, the strongest security is severly compromised.

    • What good is an alarm noone hears or noone investigates?
    • What good is a safe noone knows has been opened? [*]
    • What good is a bank account at a bank which doesn't keep track of transactions? [**]

    Locking the account is an (automated) response to a possible security breach. It extends the time needed for an attacker to break into the account enough to disuade the attacker or enough to mount a stronger response.

    * — Safes are rated in terms of how many minutes it takes for a pro to break into them.

    ** — An audit is a type of response which occurs after (as opposed to during) the breach.

Re: Why do you have to worry about Brute Force Attacks?
by Melly (Chaplain) on Sep 26, 2006 at 22:24 UTC

    Making this up as I go along, but...

    It's a kind of odd question - if you have control over your server, and can configure your web-server to block multiple unreasonable requests from a single IP, then by all means implement it.

    That aside, you are asking "why not drop a reasonable security measure, now that hackers have almost given up trying to get around it?"

    Tom Melly, tom@tomandlu.co.uk
Re: Why do you have to worry about Brute Force Attacks?
by Argel (Prior) on Sep 27, 2006 at 00:31 UTC
    I feel like I'm in a timewarp here. Your question could almost be considered "legit" if you asked it several years ago, back when the Internet was more like a wild frontier. Today, with the rise of organized crime on the 'net, the multitude of script kiddies, etc. it's more like a war zone. With all of the zombie systems out there on the 'net a distrbuted brute force attack would likely be fairly easy to pull off (especially if you throw in IP spoofing and the relaxed restrictions proxy servers would force you to make on how often an IP address can hit your server). These days you should be much, much more concerned about privacy and security, not less.
Re: Why do you have to worry about Brute Force Attacks?
by graff (Chancellor) on Sep 27, 2006 at 02:28 UTC
    Nice thread. After reading what has been posted so far, I would add:

    The "user name" and "password" combination for access control is like requiring two keys to open the door (or more like, having to know where the door is in a dark room, and then having the key to open it). If someone is using a brute force attack on a specific user account, this means the attacker already has one of the keys (or knows how to find one of the doors), and the task of breaking in is nearly half-way solved.

    As others have said, the appropriate action to be taken in this case depends on the potential damage to the system, the service, the service owners/maintainers, and the users. If the damage could be severe, then everyone with a legitimate interest at stake would view locking the account as a welcome intervention.

    If protecting against break-ins is mostly for your benefit (as owner of the site, i.e. to protect your content) rather than for the benefit of the users (to protect stuff that they keep on your site), then locking out accounts because of brute-force attacks might be perceived by your customers as a good reason to stop paying you money (bad for you). So if you feel that your content needs significant protection, you might want to take a more measured approach -- e.g. block a specific client IP address after some small number of failed login attempts.

Re: Why do you have to worry about Brute Force Attacks?
by RobPayne (Chaplain) on Sep 27, 2006 at 00:33 UTC
    There are many factors to take into account when attempting to answer your question.
  • What password change policy do you currently implement? For instance, are users required to set passwords that don't include their name (if you know it), their account name, etc.?
  • What other security measures are you currently implementing? (Are the error logs being regularly reviewed, etc?)
  • Is password security your biggest issue, or do you have other CGI issues? Is anyone other than the developers auditing the code?
  • Are there web server configuration issues that affect the security? (Are databases available via http, for instance?) You may be the only one with the information necessary to answer this question. There are quite likely other folks that you work with who can take a look at the service security. You have to assess the risk of password compromise against the risks of other types of compromise of the server and service.
Re: Why do you have to worry about Brute Force Attacks?
by Nevtlathiel (Friar) on Sep 27, 2006 at 10:08 UTC
    I'm not sure that I necessarily agree with your estimate of 20,000+ attempts to guess someone's password, it depends how stringent your password policy is. If it's fairly lax and you're allowing simple dictionary words (i.e. no requirement for numbers, capital letters or punctuation), not only are you allowing passwords that are easier to brute force, but you're also allowing your users to choose words which may be very commonly used passwords because they're easy to remember. I'd be willing to bet that there are about 10 strings which are used as passwords far more often than other strings. Things like 'password', 'changeme' and 'abc123' would be at the top of my list of passwords to try even before beginning a brute force attack because chances are if you don't have a strict password policy I can break into someone's account this way with very little effort.

    Also make sure that you give the same message when someone tries to log in as a user who doesn't exist as when a user who does exist logs in with the wrong password. Something along the lines of "Your username and password do not match" rather than "That user doesn't exist" and "Your password is incorrect". That way if someone is trying to get in who shouldn't and they don't know any of your user's login names it's not so easy for them to find out what they are. Using graff's analogy, don't make it any easier for them to find the door if they don't know where it is.

    ----------
    "Write a wise saying and your name will live forever." - Anonymous

Re: Why do you have to worry about Brute Force Attacks?
by Mutant (Priest) on Sep 27, 2006 at 08:04 UTC
    Brute force prevention - as has been pointed out above by everyone else - is necessary. However, like all security measures, it has to be applied in the right amount.

    For instance, my work has policies on the Windows Active Directory logins. There is a maximum of three failed attempts in an hour. Additionally, password must be changed every 90 days, and there are fairly tight restrictions on what passwords can be.

    This might seem reasonable, but when you add in the fact that many applications in the company use Active Directory as their authentication system, you see that users can easily legitimately enter their password incorrectly more than three times in an hour, locking out their accounts. A policy closer to 20 (or even 50) attempts in an hour would seem much more reasonable to me - it would almost eliminate the number of locked out accounts, while not really making it easier to brute force.

    If your security is over zealous, it will cause legetimate users to find ways to circumvent it - just so they can get some work done. If this happens, you know your security measures are failing.
Re: Why do you have to worry about Brute Force Attacks?
by Smaug (Pilgrim) on Sep 27, 2006 at 10:15 UTC
    .....and yet another thing not covered, (or maybe it was) is that surely if you are charging people for access, you would not want somebody else getting the information for free?

    I know that if I was one of your clients, I would be more than a little annoyed to find out that somebody has used my deatils to access information/services for "free" using my account which I paid for. I such a case it may convince me to stop using your site.

    The passwords for site are there to protect the owners and the users.

    Another nice feature is a welcom message with something like "Welcome back, you last logged in 3 days ago at 12:33 from 192.168.3.12" sort of thing....

Re: Why do you have to worry about Brute Force Attacks?
by nimdokk (Vicar) on Sep 27, 2006 at 12:55 UTC
    This is a really good thread. Not sure I really have a lot more to add to it but I'll toss in my 2 cents.

    Blocking Brute Force attacks by implementing password lockout is a good idea in general. A lot of people think they might have good passwords until they've seen a brute force tool (such as John the Ripper or L0pthcrack) in action (these are working on password files, not across the web as you are describing) but the length of time to crack even seemingly difficult passwords is laughably short. I'm not sure how many attempts they need to crack the password, but given the length of time, it probably isn't very many.

    Something to consider is what you are trying to protect. If it really doesn't matter if the information gets out - it can't be used against someone for example - then perhaps it really doesn't matter. But if you are storing personal information (phone numbers, addresses, etc.) then you might want to implement additional levels of security. Basically, make it not worth someone's while to try to break in and steal it. A simple threat analysis should give you a good indication of what you might want to consider doing.

    If you work someplace where the risks and potential damages are high if information is stolen or compromised, then you want to take every possible step to make that information safe. The flip-side of course is making the site easy to use. Security is a balancing act between Ease-of-use and Security.

    In response to your comment <cite>What kind of web server will actually allow a IP to "keep calling the script..."</cite>, it depends on how it's configured. I've seen logs after a brute force attack on a site and its not pretty. Even with lockouts in place. Unless the site can be configured to block brute force/DOS attacks, your app will continue to get hit until the attackers gets bored, or all available bandwidth is soaked up. I can only speak to IIS but from what I saw, there really is no way with the server to do this. We've installed another server that does allow us to block sites after X number of attempts (its looking to limit possible DOS attacks). In addition, we have firewall restrictions in place that keep J. Random Script-Kiddie from getting through easily. But also, I work in a place where we take security very seriously in part because its in the best interest of our customers and the fines for failing to adequetly protect customer info can be very very steep (including hefty fines and possible jail time as well).

    If you're looking at some sort of bulletin board, do you want to be able to provide some accountability and make sure that the person posting is the person who registered? Password locking is simple to implement but if the password is comprimised - what are the consequences for you and for the person whose password is compromised.

    Enoguh rambling for now - I'm looking forward to reading the rest of the comments here to see what people thing :-)

      The flip-side of course is making the site easy to use. Security is a balancing act between Ease-of-use and Security.

      One of my favourite definitions of security: "making the right data available to the right people at the right time".

      It encompasses too oft overlooked points: first, that a system that prevents valid access can be just as bad, or worse, than a system that grants too much access, and second, access rights change over time. If a bank vault won't let anyone get the money, ever, it's worse than useless. A former bank teller should not retain keys to the vault after (s)he leaves the company; and a bank teller also shouldn't even be able to open the vault when not on shift.

      It's an easy thing to state; and a hard thing to get right.

Re: Why do you have to worry about Brute Force Attacks?
by astroboy (Chaplain) on Sep 27, 2006 at 19:32 UTC

    CGI::Application has a plugin called CGI::Application::Plugin::RateLimit that may give you some ideas. Basically for any runmode or action (e.g. accepting logins) you can determine how many calls you will accept over a defined time frame.

    $rate_limit->protected_actions(failed_login => {timeframe => '10s', max_hits => 2 });

    By default it uses $ENV{REMOTE_USER} or $ENV{REMOTE_IP} to identify the user, but you can write a callback to create your own logic for this

Re: Why do you have to worry about Brute Force Attacks?
by nevyn (Monk) on Sep 27, 2006 at 21:17 UTC
    What kind of web server will actually allow a IP to "keep calling the same script 20,000+ times to brute force?"

    When talking about HTTP, always think "what would a Web proxy do?"

    For a web based application IP addresses can very rarely be blocked

    --
    And-httpd, $2,000 security guarantee
    James Antill
Re: Why do you have to worry about Brute Force Attacks?
by vhold (Beadle) on Sep 28, 2006 at 21:20 UTC
    Nobody has mentioned Captchas, apparently there are number of applicable CPAN Modules.

    I think they are the most effective method for both avoiding lockout situations and making brute force attacks prohibitively expensive. Can anybody vouch for any of the modules?
      Nobody has mentioned Captchas, apparently there are number of applicable CPAN Modules. I think they are the most effective method for both avoiding lockout situations and making brute force attacks prohibitively expensive. Can anybody vouch for any of the modules?

      They're not particularly effective since they only have a chance of stopping automated brute force attacks. Not man-in-the-middle variants or, attackers with partial information.

Re: Why do you have to worry about Brute Force Attacks?
by AJRod (Scribe) on Sep 30, 2006 at 08:14 UTC
    Before I begin, forgive me for providing an opinion that is beyond perhaps the scope of this forum. The following is why I think we all have to worry about Brute Force Attacks.

    Security is a responsibility to your own, your users' and your network community's welfare. The first two concerns have already been mentioned so let me focus on the third.

    To a certain extent, the household analogy works to make us understand why we need locks, passwords, and other security measures. However, it fails to explain other aspects of networking which cannot be practiced in the household yet are violated by "unethical" hackers everywhere. Take for instance the characteristics of network nodes in which the entire node can be used by a hacker, for example, as a portal into another node or to commit a felony under an assumed "identity". Your household may not even need to have a lot of assets or any assetat all to be useful. In other words, not only specific objects inside your household are potential targets but the entire network node's resources as well. In a larger perspective, a security-weak node serves as an achilles heel of the entire network.

    Now let me "digress" momentarily by saying that active prevention of criminal acts through security measures is a blunt weapon compared to the more effective objective of eliminating social inequities. We first have to admit we are still very far from such a mature society. You can tell simply by counting the number of dogs owned by some of the respondents here. ;)

    When I realized this current social-historical context we are in, it made me understand better that at the present moment admins have to apply security measures to make the entire network community difficult for criminals and safer for the rest of us.

    And the responsibility of the rest of us? At the minimum to understand this context so we don't just see these measures as mere "annoyances". At the maximum, to continue working for a better world for, after all, internet crimes are not merely technologically inspired but more deeply socially rooted. Technological "solutions" are necessary but relatively palliative.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://575032]
Approved by Hue-Bond
Front-paged by Arunbear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (7)
As of 2024-04-23 18:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found