Why bother to pick a lock if you can simply kick in the door?
That’s the logic behind the brute force attack, one of the most common of all security exploits. The idea behind brute force is simple: simply try all possibilities until you find the one that works. Typically, there is no prioritization of some possibilities over others. Instead, all are tried systematically in a simple sequence, such as alphanumerical.
Brute force attacks fall, generally speaking, into two classes. The more common involves an online resource or service, such as an e-mail service; here, the hacker attempts to find a correct password. Offline brute force attacks, on the other hand, are less common because they involve trying to decrypt a file (such as a UNIX password file), and thus require obtaining the file in the first place.
As a group, all brute force attacks combined are (according to a 2015 McAfee Security Report) the second-most common of all exploit types (behind denial of service), amounting to some 25% of the total. WordPress sites in particular are often hit with such attacks in order to obtain control of the publishing platform and leverage it for malicious purposes.
What’s the motive behind a brute force attack? The most obvious is also the most common: privileged access to restricted data, applications, or resources of all kinds.
In some cases, a brute force attack is also a logical stepping-stone or pivot point — by brute-forcing to point A, it’s then possible to launch subsequent exploits (perhaps of a different type) to get to points B-Z. The hacker may also seek to install something such as a rootkit, add a new bot to a botnet, create a command and control center for a botnet, or (if possible) simply steal money or sensitive information (such as credit card numbers or banking credentials) that lead directly to money.
So how can you spot a brute force attack while it is happening? No single indicator is certain, but these are all logical possibilities:
Many failed log-ins from the same IP address. This is a particularly strong sign (though if the attacker is using a botnet, IP addresses will obviously vary).
- Logins with multiple username attempts emerging from the same IP address
- Logins for a single account coming from many different IP addresses
- Excessive bandwidth consumption over the course of a single session
- Failed login attempts from alphabetically sequential usernames or passwords
- A referring URL drawn from someone's mail or IRC client
- A referring URL that contains the username and password in this format: [url=http://user:[email protected]/login.htm]http://user:[email protected]/login.htm[/url]
- A referring URL drawn from known password-sharing websites
- Failed log-in attempts that include passwords commonly used by users and hackers alike (123456, password, qwerty, pwnyou, etc.)
Putting up a stout defense
Toward fending off a brute force attack, a variety of straightforward options include:
- Locking the account after a fixed number of failed attempts. Apple’s failure to implement this initially in its iCloud service led, in 2014, to successful brute force hacks and the mass distribution of embarrassing celebrity photos.
- Delaying the response time. The more time between permitted password attempts, the more slowly the brute force attack will proceed, and the more time is available for sysadmins to discover an attack is underway.
- IP address lock-out. If failed attempts from a given IP address exceed a maximum predefined number, that address can be locked out… though if the attacker is using a botnet, with many IP addresses for its bots, this approach will be inadequate.
- Detection tools. Based on key indicators such as the bulleted list provided above, tools such as OSSEC can sometimes detect a brute force attack is underway and take direct action to block it, notify administrators of it, or both.
- Brute force site scanners. The idea behind these tools is to go through site logs looking for signs that a brute force exploit has recently been attempted. While the horse may be out of the barn in such a case, it’s still worthwhile knowing that it happened, so that effective measures can be implemented to prevent a recurrence.
Unfortunately, brute force is a class of attack that’s unlikely to vanish any time soon. Going forward, in fact, it’s clear that brute force attacks are likely to become both more prevalent and more effective.
This is a simple consequence of the fact that the more computational power you have, the faster and more successful a brute force attack is likely to be, all other factors being equal. And in today’s world of botnets, not to mention scalable grid and cloud architectures, computational power is relatively cheap and easy to get.
In the near future, in fact, artificial intelligence may even be applied to simplify/prioritize the brute force process by focusing on the most promising possibilities first. This being the case, security professionals will have to stay on their toes.