Over the past few days I’ve been pondering an older threat against applications – lockout attacks. The old attack would involve a single user who wanted to lockout another individual or group of individuals by entering multiple unsuccessful passwords. The goal isn’t to guess the password, but to lock the account by sending multiple unsuccessful login attempts. Now, if this user was particularly malicious he could try to enumerate all of the usernames for an online system and then use a script to lock out all of the users. This is a real threat for current online systems. However, once the system owners detected this attack they could respond and block incoming requests from the IP address and likely track down previous activity from that user.
Lets take this idea and add make it a distributed attack originating from a botnet. Instead of a single user attacking multiple user accounts, we now have thousands of individual machines scattered throughout the world attacking a small number of accounts. How would we defend against this sort of attack? Previously a single machine was launching the attack and action could easily be taken against the offending IP address. But now the number of malicious machines increases to the thousands – all locking 10-20 accounts each.
How does this attack compare to a distributed network based denial of service? One key item is the attacker does not have to actually exhaust network resources. A network based denial of service requires a large number of machines for it to be successful. Each machine sends legitimate requests to the site in an attempt to use up all the available bandwidth on the server side. Once the bandwidth from the botnet attack stops clogging the pipe, the attack is over. However, an account lockout attack would cause damage with any number of attacking machines. 1000 machines wouldn’t cause a DDOS against a major online site, but it could lock out 50,000 users without difficulty. Another issue with this attack is simply unlocking the affected accounts won’t solve anything. The attacked site must quickly identify the attacking machines or eliminate their ability to lock out accounts. Otherwise any accounts which are unlocked, will just be locked by the next wave of attacks.
I can see this type of attack being a real threat to the massive social networking sites and possibly financial sites which have not added multi-factor authentication. Given the large botnets that have been forming, I’m almost surprised we haven’t seen this type of attack yet (please correct me if I’m missing some).
Here are some solutions I came up with:
- A captcha of some sort may be a good option. We are seeing this in more financial sites. But for those sites that don’t want a captcha for every login, consider requiring the captcha after 3 failed logins. At this point we should get suspicious and want to confirm that we are dealing with a person and not a bot.
- Incident response should be prepared for this type of attack. Be able to quickly pull metrics showing IP addresses which have a large number of failed logins or have locked out more than 1 account in a small amount of time.
- Along that line, it may be worthwhile to generate an IDS alert whenever a single IP locks more than 1 account in a small window of time. Generating alerts on this behavior could provide information on the beginnings of an attack (instead of hearing from the helpdesk that you just received thousands of password reset phone calls)
-Michael Coates
February 26, 2008 at 10:16 pm |
RE: MultiFactor SecureAuth(TM) Counters the Distributed Account Lockout Attack
Michael:
Excellent article.
At MultiFactor, we believe as you stated, that certain multifactor authentication methods, namely our SecureAuth product, can address this type of attack.
That is in the MultiFactor SecureAuth solution the legitimate user or attacker is never even prompted for the password unless the user first can input:
a) A set of non-phishable, non-exportable SecureAuth browser credentials
or
b) the user had first registered the browser, in a Secure out-of-band method:
– Telephony (Cell Phone or Land) One-Time-Password (OTP)
– SMS Text Message OTP
– E-mail OTP
In effect, only a user that has establish a reasonable set of “credibility” is even allowed to input a browser. (E.G., be in posession of the user’s cell or land line or have access to a non-exportable key on the user’s browser.) Neither a hacker nor an automated bot – would meet this criteria.
Thus via the SecureAuth method, an enterprise is secure in knowing they are not susceptible to an Account Lockout Attack.
We encourage all security analysts and professional to run the demo on our public site:
http://www.multifa.com/demo.htm
—-
Garret Grajek, CISSP
MultiFactor Corporation
Chief Operating Officer
office: 949.777.6970
ggrajek@multifa.com
http://www.multifa.com
February 26, 2008 at 10:37 pm |
I agree that an additional factor of authentication, before the user can attempt to login, is a good possible solution. However, I’ve run into a few sites that have attempted such a method, unsuccessfully (previous post). Lets just hope that was an anomally with whoever created that site. I’m sure your product would handle the OTP correctly.
While this type of product would be good for an organization able to spend additional funds in the name of security, is it realistic for the social networking sites of the world? Could an organization with such a large and fluid user base, like facebook, realisticly implement this into their model (considering both cost and user acceptance). This is where I think things get difficult. What solution has the least impact to the user, but can still prevent such an attack?
March 3, 2008 at 7:26 am |
I have seen a worm infection that performed an attack similar to this. The worm utilized an LDAP brute force tool that would pull the username list and then start guessing passwords for each account. The internal network was infected with 20-30 machines that were each performing the brute force attack. This quickly locked out every LDAP account causing a DOS against the whole organization. This attack also affected the security team’s response because the were getting locked out of their workstations. The LDAP admin had to sit at the console and continually unlock their accounts.
This was not a targeted DOS attack, but maybe helps to illustrate how easy an attack like this could be performed and the impact it could have within an organization.