Brute Force is an old and popular technique for attackers to gain unauthorized access to an account or resource. 

Its popularity is not going down any time soon. 

Of course not! 2020 security reports reveal that 80% of data breaches involved brute-forcing or the use of stolen credentials.

And brute force attacks are not something to take lightly. 

A successful attack can give access to protected functionality, sensitive information, or a personal account. With these types of information, a hacker could commit fraud, steal personal belongings or even achieve the complete takeover of your server.

What is a Brute Force Attack?

In a Brute force attack, the offender tries to access a secured service or resource by trial and error. For example, it may try all the possible user:password pairs till finding the correct combination to get access to your preferred chat service.

Other common targets include:

• An unprotected path URL in your website giving access to sensitive files or information
• The API keys of a service
• Your e-banking account

The Mathematics Behind

Trying all the combinations till guessing doesn’t sound like a tactic prone to succeed. The possibilities grow faster than exponentially with the length of the secret. By making a password just a few characters longer, we can arrive at an ENORMOUS number.

For example, a secret composed of numbers, symbols, upper and lower letters total 74 possible characters for the first digit. A ten digits secret has 4,923,990,397,355,877,376 possible combinations!

The Attacker’s Side

Attackers had refined their guesses and tools over time. 

An average machine decades ago could only try a few thousand passwords per second. Nowadays, your daily-use laptop can test 1,000,000 combinations per second easily. Specialized hardware can perform a lot better.

How much time would an attacker need to crack a password having only lower-case letters and numbers?

As you can see, in these conditions, a hacker could get any secret of six digits length in less than one hour!

But attackers can still improve that performance A LOT MORE by using the fact that secrets are not usually random.

Users tend to create passwords easy to remember, and so, easy to predict. The path’s URL on a website also has names following a certain logic.

With that in mind, attackers may not try all possible combinations but only the most likely. Thereby, lowering the number of possibilities radically. 

This type of Brute Force is called Dictionary Attack. 

There exist plenty of lists with common user:password combinations for all the popular services, such as email and social media. And they are publicly available. For example, in the SecLists project. We will return to this topic in the next sections.

Symptoms of a Brute Force Attack

• A considerable number of logs that are related to failed login attempts or a lot of requests for your website’s resources in a short time window.
• Partial or total loss of the availability of the service. Especially if the attacker performs overwhelming connection attempts, like in a Denial of Service (DoS) attack.
• In the case of compromise, you may find unauthorized transactions performed by your account or may even lose control over it.

Types of Brute Force Attacks

We can classify Brute Force attacks by the targets and methods used.

Exhaustive Search or Simple Brute Forcing

The attacker tries all the possible combinations of characters and lengths allowed. That is the case we analyzed with the numbers in previous sections. 

Dictionary Attack

The attacker uses a list of words with a high likelihood of being the secret. This attack is the reason you shouldn’t use human-generated passwords.

Dictionary files usually come from past breaches. Another common source is default credentials. You should always change the default credentials of all your devices!

BruteX is an open-source tool that automates this type of attack. It includes lists with default/usual credentials for different services.

Sub-Directories Brute Forcing

The targets are the website’s sub-directories known for containing sensitive information. 

For example, sometimes developers forget to delete backup files or leave them with open permissions. In that case, anyone browsing their correct path could find them. Backup files usually contain information that is not meant to be seen by anyone, such as financial balances.

All the most popular web pen-testing tools can perform this type of attack, and they even come with lists of common paths to check. An example is Nikto. 

Credentials Stuffing

Here the attackers use our known credentials from past breaches to break into other services belonging to us. 

This attack is highly successful in practice because we tend to repeat passwords over different accounts.

Even if your account credentials were not dumped in previous hacks, you could be at risk. Your password could appear in a common-passwords list. These are the dictionary files used by the attackers in their automated attacks.

Here you can check if your credentials were leaked in past breaches. 

That is why you should not secure an account only with a password. Use multi-factor authentication instead. We will talk more about that in the next sections.

Top 3 Brute Force Attacks Statistics

• According to the 2020 Verizon Data Breach Investigations Report, 80% of breaches involved brute-forcing or stolen credentials. 

• The 2021 Report from Verizon found that 95% of the monitored organizations received between 637 to 3.3 billion brute-forcing attempts! 

• Just in 2021, there were more than 250,000,000 records leaked according to the numbers of KNOWN breaches. The stolen data is sold on the Dark Web and can later be used to commit more Credentials Stuffing attacks.  

How can you defend against Brute Force Attacks?

Here are some tips to better protect yourself!

Use a Password Manager

The National Institute of Standards and Technology (NIST) last recommendations highlight the importance of using Password Managers.

A Password Manager is a software or hardware providing functionality to generate, store and manage secure passwords. Secure passwords are long and complex enough (they seem random).

Human-generated passwords are weak and predictable, or hard to remember. Avoid them!

If you need to create a password by yourself, these recommendations will protect you better against brute-forcing attacks:

• Password Length should be eight characters minimum, so to make exhaustive search attacks unfeasible.
• It should not appear in a past breach to avoid dictionary attacks.
• It should not contain:
  • Dictionary words
  • Repetitive or sequential characters (ex., ‘aaaaa’, ‘1234abcd’).
  • Context-specific words (ex., name of the service, username, …)

Enable Multi-factor Authentication

Methods of authentication for login seek to identify:

• Something the user knows, like a password
• Something the user owns/has, like a phone number
• Something the user is, like with biometric data
• Where the user is, with their IP address

Web Services usually offer using two of them. Two-Factor-Authentication (2FA) is exactly that. 

According to Microsoft, multi-factor authentication can prevent 99.9% of account compromise attacks.

Prefer Biometric Methods for Authentication

A brute-forcing attempt won’t succeed if it needs to provide your voice, hand, or iris fingerprint. As a plus, you won’t need to remember anything. Neither receive a code nor install an app on your phone (like when using authenticator apps).

Use Anti-Automation Defences, like a WAF

With anti-automation defenses in place such as CAPTCHA, a brute force attack would run remarkably slower. 

Even a dictionary attack would be harder to perform; the offender’s IP would be blocked after a few failed connection attempts.

How can BitNinja protect You against Brute Force Attacks?

We are never exempt from a zero-day vulnerability or human error. That’s why security should be applied in layers, protecting each part of your system.

A vital line in your defenses should have anti-automation capabilities. BitNinja offers that in a great way, and even more!

BitNinja AntiFlood and Captcha modules cover you against automation attacks by blacklisting IPs attempting recurrent connections.

Even if CAPTCHA gets bypassed somehow, the BitNinja SenseLog module will detect and ban malicious IPs and brute force attempts. 

Why is BitNinja Different from other WAF Solutions?

BitNinja counts with features backed by state-of-art technology in different areas: 

• To avoid false positives, BitNinja uses the innovative concept of greylists. There, temporarily blocked IPs can be delisted manually by human visitors via solving a CAPTCHA, or automatically by the Browser Integrity Check (BIC).
  
• The BitNinja SenseLog module uses the most effective technologies (Auditd, Aho-Corasick algorithm) to be resource-friendly.
  
• Finally, there's the Real-Time IP reputation module. It has a constantly updated and vast list of malicious IPs worldwide. Attempts of connection coming from these IPs are blocked directly.
  
  

Example for Brute Force Attack

We will use the open-source tool Nikto to brute force directories and files in a website. We will look for sensitive information left publicly accessible. 

The target will be a web app specially designed for these kinds of demonstrations. 

We finally found an accessible file, which Nikto parsed and marked as possibly containing interesting data.

The code in the discovered file indicates too open permissions. That is an open door for everyone to read the data in the web app –also the sensitive one.

We can see three vulnerabilities in this example: crossdomain.xml file was left available to the public, to open permissions to read the data in the web app, and the lack of anti-automation defenses. 

With BitNinja in place, the attacker’s IP would have been blacklisted after the firsts failed brute force attempts. As a result, this sensitive file wouldn’t have been found. 

Brute Force Attacks FAQs

Which Log Files Does BitNinja SenseLog Monitor?

Apache/Nginx access and error logs, system-wide logs, exim4 logs, postfix logs, and more. Here is the complete list. 

You can specify custom log paths in the module’s configuration too.

Can BitNinja Do Something if my Server Gets Infected?

Yes, the BitNinja Malware Detection module detects infected files and places them in quarantine to prevent further damage to your server. 

This module has unique technology to be resource-friendly and for having a very low false-positive rate. Read more about it here.

Brute Force Attack could end up taking over your server. Cybersecurity is not optional anymore. It is a must! If you haven't tried BitNinja yet, don't forget to register for the 7-day free trial! No credit card needed!

Free Trial

We are always happy to help you! If you have any questions, check out our Knowledgebase, feel free to ask at info@bitninja.com, or you can even reach us on the Dashboard chat!

Let's make the internet a safer place together!