What is brute force attack?
Brute force attack (also known as a dictionary attack) is one of the most common (and least subtle) attacks conducted against Web applications. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user or personal identification number (PIN).
Usually, Brute force attacks may be used by criminals to crack encrypted data, such as passwords or Data Encryption Standard (DES) keys or by security analysts to test an organization’s network security through exhaustive effort (using brute force) rather than employing intellectual strategies. Along with the threat of unauthorized access these programs target specific services such as FTP, SSH, and RDP (Remote Desktop Protocol) because they are the most common services seen on servers.
Types of brute force attack
There are two types of brute force attack:
- Online brute force attackOnline brute force attacks are one of the most common attack types and usually consists of hackers trying to discover a usable password through an online resource or service, such as an e-mail service.
- Offline brute force attackOffline brute force attacks, on the other hand, typically involve trying to decrypt a file (such as a UNIX password file). This explains why they are less common as they require having physical possession of the file in the first place.
How Do Hackers Use Brute Force Attacks Against Websites?
Brute force login attacks can be conducted in many ways. If the Web application does not have any protections in place against this type of attack, it’s possible for automated tools which are readily available on the Internet in a matter of seconds to submit thousands of password attempts and making it easy for an attacker to beat a password-based authentication system.
WordPress sites are common victims of such kind of brute force attacks as hackers are able to gain control of the publishing platform and then utilize it for malicious purposes. With a brute force attack on WordPress websites, a hacker attempting to compromise your website will attempt to break into your site’s admin area by trial and error, using thousands of possible username/password combinations.
Usually, hackers write simple scripts, called bots, that carry out thousands of these break-in attempts against websites on auto-pilot. Typically, these bots are custom-written by the attackers and designed to be easily distributed over several hacked machines. These groups of botnets or bots with other commonly accessible tools that either generate thousands of passwords or use a word-list. The latter is often referred to as a dictionary attack, because of their dependence on “dictionaries” or long lists of words to try to a list of passwords and/or usernames on your website.
However, if the attacker is using a botnet, IP addresses can vary for this kind of attack, so it’s important to be able to recognize other clues, such as logins from the same IP address with multiple username attempts , logins for a single account coming from many different IP addresses, excessive bandwidth consumption over failed login attempts from alphabetically sequential usernames or passwords and the course of a single session.
Rather than trying multiple passwords against one user, another brute force attack method is to try one password against multiple usernames. This is known as a reverse brute force attack. This technique is worth noting as it is where most account lockout policies fail. Reverse brute force attacks are less common, however, because it’s often difficult for the attacker to compile a sufficiently large volume of usernames for the reverse attack.
Effect of Brute Force Attacks:
Once attackers have gained access to your website, they can use its files and the web host server to cause a wide variety of damage through malicious behavior, including:
- Defacement: your site can display unwanted and sometimes malicious content, your own content may be deleted, and your website can be taken down altogether;
- Malware distribution: your site’s pages may infect your visitors with malware, ransomware, and viruses;
- Spamvertising: Your website may display spam content and/or links to spam websites;
- Redirection: Accessing your domain name may cause your visitors to be redirected to malicious websites, or to pages that contain affiliate links and make money for the hackers;
- Stealing system resources: by using your web server’s resources, attackers are carrying out tasks such as email campaigns and content delivery on your dime;
In the vast majority of cases, the motive behind brute force attacks is to gain privileged access to restricted data, applications, or resources.
How to protect a website from Brute Force Attacks:
There are a few basic to advance steps and number of techniques for preventing brute force attacks
- The first and best line of defense against brute force attacks is to have a very strong username and password combination. Don’t use “admin” or an easily guessable admin username such as the URL of your website or “webmaster.” Delete any admin-level accounts you don’t need. These remove accounts that could be compromised.
- Strictly limiting the number of login attempts
- Blocking well-known brute force attackers by using a continually updated IP blacklist
- A very strong password does make it difficult for a brute force attack to be successful, but not impossible. Not only are we humans bad at choosing passwords, but their crackers continue to improve the password guessing game in a number of ways.
- A better, albeit more complicated technique, is progressive delays. With progressive delays, user accounts are locked out for a set period of time after a few failed login attempts. The lock-out time increases with each subsequent failed attempt. This prevents automated tools from performing a brute force attack and effectively makes it impractical to perform such an attack.
- Another technique is to use a challenge-response test to prevent automated submissions of the login page. Tools such as the free reCAPTCHA can be used to require the user to enter a word or solve a simple math problem to ensure the user is, in fact, a person. This technique is effective, but has accessibility concerns and affects the usability of the site.
It is important to ensure the Web application employs at least one of these techniques for defending against brute force attacks if your users are to trust the security of their personal data. Using the techniques outlined in this article should provide a robust defense against this common type of attack.
Most brute force attacks work by targeting a website, typically the login page, with millions of username and password combinations until a valid combination is found. The same concept can be applied to password resets, secret questions, promotional and discount codes, and/or other “secret” information used to identify a user.
To perform a brute force attack, we need to do a few things:
- Confirm account lockout/request throttling is disabled or easy to bypass
- Determine the format of the username
- Create a list of potential usernames
- Confirm which usernames are valid
- Test passwords for each valid username