The Most Common Types of Cyberattacks #3 – Brute Force Attacks
Brute Force is an old and populartechnique for attackers to gain unauthorized access to an account or resource.
Its popularity is not going down any time soon.
Of course not! 2020 security reports reveal that 80% of data breaches involved brute-forcing or the use of stolen credentials.
And brute force attacks are not something to take lightly.
A successful attack can give access to protected functionality, sensitive information, or a personal account. With these types of information, a hacker could commit fraud, steal personal belongings or even achieve the complete takeover of your server.
What is a Brute Force Attack?
In a Brute force attack, the offender tries to access a secured service or resource by trial and error. For example, it may try all the possible user:password pairs till finding the correct combination to get access to your preferred chat service.
Other common targets include:
An unprotected path URL in your website giving access to sensitive files or information
The API keys of a service
Your e-banking account
The Mathematics Behind
Trying all the combinations till guessing doesn’t sound like a tactic prone to succeed. The possibilities grow faster than exponentially with the length of the secret. By making a password just a few characters longer, we can arrive at an ENORMOUS number.
For example, a secret composed of numbers, symbols, upper and lower letters total 74 possible characters for the first digit. A ten digits secret has 4,923,990,397,355,877,376 possible combinations!
The Attacker’s Side
Attackers had refined their guesses and tools over time.
An average machine decades ago could only try a few thousand passwords per second. Nowadays, your daily-use laptop can test 1,000,000 combinations per second easily. Specialized hardware can perform a lot better.
How much time would an attacker need to crack a password having only lower-case letters and numbers?
As you can see, in these conditions, a hacker could get any secret of six digits length in less than one hour!
But attackers can still improve that performance A LOT MORE by using the fact that secrets are not usually random.
Users tend to create passwords easy to remember, and so, easy to predict. The path’s URL on a website also has names following a certain logic.
With that in mind, attackersmay not try all possible combinations but only the most likely. Thereby, lowering the number of possibilities radically.
This type of Brute Force is called Dictionary Attack.
Thereexist plenty of listswith common user:password combinations for all the popular services, such as email and social media. And they are publicly available. For example, in the SecLists project. We will return to this topic in the next sections.
Symptoms of a Brute Force Attack
A considerable number of logs that are related to failed login attempts or a lot of requests for your website’s resources in a short time window.
Partial or total loss of the availability of the service. Especially if the attacker performs overwhelming connection attempts, like in a Denial of Service (DoS) attack.
In the case of compromise, you may find unauthorized transactions performed by your account or may even lose control over it.
Types of Brute Force Attacks
We can classify Brute Force attacks by the targets and methods used.
Exhaustive Search or Simple Brute Forcing
The attacker tries all the possible combinations of characters and lengths allowed. That is the case we analyzed with the numbers in previous sections.
Dictionary Attack
The attacker uses a list of words with a high likelihood of being the secret. This attack is the reason you shouldn’t use human-generated passwords.
Dictionary files usually come from past breaches. Another common source is default credentials. You should always change the default credentials of all your devices!
BruteX is an open-source tool that automates this type of attack. It includes lists with default/usual credentials for different services.
Sub-Directories Brute Forcing
The targets are the website’s sub-directories known for containing sensitive information.
For example, sometimes developers forget to delete backup files or leave them with open permissions. In that case, anyone browsing their correct path could find them. Backup files usually contain information that is not meant to be seen by anyone, such as financial balances.
All the most popular web pen-testingtools can perform this type of attack, and they even comewith lists of common paths to check. An example is Nikto.
Credentials Stuffing
Here the attackers use our known credentialsfrom past breachesto break into other services belonging to us.
This attack is highly successful in practice because we tend to repeat passwords over different accounts.
Even if your account credentials were not dumped in previous hacks, you could be at risk. Your password could appear in a common-passwords list. These are the dictionary files used by the attackers in their automated attacks.
Here you can check if your credentials were leaked in past breaches.
That is why you should not secure an account only with a password. Use multi-factor authentication instead. We will talk more about that in the next sections.
The 2021 Report from Verizon found that 95% of the monitored organizationsreceived between 637 to 3.3 billion brute-forcing attempts!
Just in 2021, there were more than 250,000,000 records leaked according to the numbers of KNOWN breaches. The stolen data is sold on the Dark Web and can later be used to commit more Credentials Stuffing attacks.
A Password Manager is a software or hardwareproviding functionality togenerate, store and manage secure passwords. Secure passwords are long and complex enough (they seem random).
Human-generated passwords are weak and predictable, or hard to remember. Avoid them!
If you need to create a password by yourself, these recommendations will protect you better against brute-forcing attacks:
Password Length should be eight characters minimum, so to make exhaustive search attacks unfeasible.
It should not appear in a past breach to avoid dictionary attacks.
It should not contain:
Dictionary words
Repetitive or sequential characters (ex., ‘aaaaa’, ‘1234abcd’).
Context-specific words (ex., name of the service, username, …)
Enable Multi-factor Authentication
Methods of authentication for login seek to identify:
Something the user knows, like a password
Something the user owns/has, like a phone number
Something the user is, like with biometric data
Where the user is, with their IP address
Web Services usually offer using two of them. Two-Factor-Authentication (2FA) is exactly that.
According to Microsoft, multi-factor authentication can prevent 99.9% of account compromise attacks.
Prefer Biometric Methods for Authentication
A brute-forcing attempt won’t succeed if it needs to provide your voice, hand, or iris fingerprint. As a plus, you won’t need to remember anything. Neither receive a code nor install an app on your phone (like when using authenticator apps).
Use Anti-Automation Defences, like a WAF
With anti-automation defenses in place such as CAPTCHA, a brute force attack would run remarkably slower.
Even a dictionary attack would be harder to perform; the offender’s IP would be blocked after a few failed connection attempts.
How can BitNinja protect You against Brute Force Attacks?
We are never exempt from a zero-day vulnerability or human error. That’s why security should be applied in layers, protecting each part of your system.
A vital line in your defenses should have anti-automation capabilities. BitNinjaoffers that in a great way, and even more!
BitNinjaAntiFlood and Captcha modules cover you against automation attacks by blacklisting IPs attempting recurrent connections.
Even if CAPTCHA gets bypassed somehow, the BitNinja SenseLog module will detect and ban malicious IPs and brute force attempts.
Why is BitNinja Different from other WAF Solutions?
BitNinja counts with features backed by state-of-art technology in different areas:
To avoid false positives, BitNinja uses the innovative concept of greylists. There, temporarily blocked IPs can be delisted manually by human visitors via solving a CAPTCHA, or automatically by the Browser Integrity Check (BIC).
The BitNinja SenseLog module uses the most effective technologies (Auditd, Aho-Corasick algorithm) to be resource-friendly.
Finally, there's the Real-Time IP reputation module. It has a constantly updated and vast list of malicious IPs worldwide. Attempts of connection coming from these IPs are blocked directly.
Example for Brute Force Attack
We will use the open-source tool Nikto to brute force directories and files in a website. We will look for sensitive information left publicly accessible.
The target will be a web app specially designed for these kinds of demonstrations.
We finally found an accessible file, which Nikto parsed and marked as possibly containing interesting data.
The code in the discovered file indicates too open permissions. That is an open door for everyone to read the data in the web app –also the sensitive one.
We can see three vulnerabilities in this example: crossdomain.xml file was left available to the public, to open permissions to read the data in the web app, and the lack of anti-automation defenses.
With BitNinja in place, the attacker’s IP would have been blacklisted after the firsts failed brute force attempts. As a result, this sensitive file wouldn’t have been found.
Brute Force Attacks FAQs
Which Log Files Does BitNinja SenseLog Monitor?
Apache/Nginx access and error logs, system-wide logs, exim4 logs, postfix logs, and more. Here is the complete list.
You can specify custom logpaths in the module’s configuration too.
Can BitNinja Do Something if my Server Gets Infected?
Yes, the BitNinja Malware Detection module detects infected files and places them in quarantine to preventfurther damage to your server.
This module has unique technology to be resource-friendly and for having a very low false-positive rate. Read more about it here.
Brute Force Attack could end up taking over your server. Cybersecurity is not optional anymore. It is a must! If you haven't tried BitNinja yet, don't forget to register for the 7-day free trial!No credit card needed!
We are always happy to help you! If you have any questions, check out our Knowledgebase, feel free to ask at info@bitninja.io, or you can even reach us on the Dashboardchat!
Proactive Linux server protection from a centralized, easy-to-use console. Secure your web servers and customers’ websites against all kinds of cyber threats with our multi-layered security tool
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.