Brute-force

Overview

A brute-force attack consists of iterating over various values in order to guess the "correct" value. For example, a brute-force attack can be used to find a user's password and gain unauthorized access to their account. There are several types of brute-force attacks that use different approaches for generating a list of values for brute forcing. However, the approach to enumeration remains the same, it is the trial and error.

This page contains recommendations for the implementation of protection against brute-force attacks.

General

  • Implement temporary blocking on the server side. Do not rely solely on protection on the client side.

  • Use the rate-limiting strategy below to implement brute-force protection against various application functions, such as authentication, password change, multi-factor authentication, etc.

    • Block the possibility of performing an operation for N minutes if an object has made M unsuccessful attempts in K minutes.

Example

For the authentication mechanism, the rate-limiting strategy may look like this:

Determine an account by login; if a user entered incorrect data M or more times in K minutes, immediately block the possibility of authentication for this account for N minutes.

  • N must grow with each subsequent rate limit exceeding. For example, the first rate limit exceeds N minutes, the second - 2 * N minutes, the third - 4 * N, etc.

  • Implement an atomic count of the number of unsuccessful attempts.

  • Share the number of failed attempts between different instances of an application.

  • Do not use user-controlled data as a key during unsuccessful attempt calculation. For example, for authentication, you can use a login provided by a user to search for an account and use a related ID to calculate the number of attempts.

Example

For the authentication mechanism, the attempt counting algorithm might look like this:

  1. Extract a username from a request.

  2. Find an account in a database by the username.

  3. If an account is found, use the id or username from the database to query the current number of attempts in Redis (or in any other key-value database/object).

  • Implement the concept of trusted devices to avoid blocking legitimate users during an attack, see the Concept of Trusted Devices page.

  • Do not hardcode N, M, and K values. Put these values in a configuration so that they can be changed without involving a development team.

  • Send a notification to a user that someone has exceeded a limit for performing a certain operation. The notification must contain a device from which the limit was exceeded, IP address, location and a guide on how to improve the security of their account (how to change password, set up multi-factor authentication, etc.).

  • Use CAPTCHA as a rate limit mechanism. Remember that CAPTCHA only complicates the brute-force, but does not protect against it 100%.

  • Block IP addresses from which many failed attempts to perform a certain action are made. For example, it can be many failed logins from the same IP address. Use the same strategy described above to implement the blocking.

  • If an activity is tracked by IP make sure that an original IP can not be overridden by a user using headers such as x-forwarded-for, x-forwarder-ip, x-real-ip, cf-connecting-ip, etc.

PreviousVulnerability MitigationNextCommand Injection

Last updated