Security Science: What is a brute-force attack? How to detect and defend?
As we all know, the iCloud photo exposure door is actually not brilliant. Hackers continuously attempt to log on to the user's account name and password through brute force cracking attacks, and finally obtain the iCloud account of Hollywood stars. What is a brute-force attack? How can we detect and defend against brute-force cracking attacks?
What is a brute-force attack?
A brute-force cracking attack means that an attacker attempts to crack the user's account name, password, and other sensitive information by systematically combining all possibilities (such as the account name and password used for Logon. Attackers often use automated scripts to combine the correct user name and password.
For defenders, the longer the attacker stays, the more likely it is to combine the correct user name and password. This is why time is so important when detecting brute-force cracking attacks.
How to detect brute-force cracking attacks?
Brute-force cracking attacks obtain a certain success rate through a large number of attempts. Therefore, in web (Application) logs, you will often find many logon Failure entries, and these IP addresses are usually the same IP address. Sometimes you may find that different IP addresses use the same account and different passwords to log on.
A large number of brute-force cracking requests may cause a large number of exception records in server logs, from which you will find some strange pre-Site Links (referring urls), such as: http: // user: password@website.com/login.html.
Sometimes, attackers use different user names and passwords to frequently log on to the system, which provides a good opportunity for the Host Intrusion Detection System or the associated system to detect their intrusion. Of course, there are some false positives in the header. We need to exclude them. For example, if the same IP address is used to log on to the same account again with the same password, this may be a Web/mobile application that has not updated the password or has not obtained the correct authentication, such interference factors should be excluded.
How can we defend against brute-force cracking attacks?
Although brute-force cracking attacks are not very complex types of attacks, if you cannot effectively monitor traffic and analyze them, they will still be available. Therefore, you need to analyze the data requested by the user, exclude normal access from the user, and sort out the most serious and urgent threats according to the priority, and then respond.
Security researchers have developed an IDS (Intrusion Detection System) and record Association System Driven by built-in association rules, which can promptly notify you if you have been attacked by attackers. All threats are displayed and categorized by threat level.
The larger the bubble, the more extensive the threats at this time.
In the figure below, the details recorded by the system have been interpreted as something we can understand: Suspicious 209.239.114.179 is trying to log on via SSH
The system also checks the IP address information and threat information sharing platform.
It shows all information of the suspicious IP address on the threat information sharing platform, including any malicious activities associated with it. The system blocks the most likely IP address to prevent further brute-force cracking.