[Owasp-leaders] https://www.owasp.org/index.php/Credential_stuffing

Aurelijus Stanislovaitis aurelijus.stanislovaitis at owasp.org
Tue Sep 20 06:58:00 UTC 2016


In case of 'stuffing'  the expected failed login rate is much lower
compared to any bruteforce, i assume.
It does not make much sense in counting failed logins per user, because an
attacker would only attempt 1 password per user. The increased cumulative
amount of logins per time period could be an indication, but then we can
not lockout accounts of course.

The attacker switching proxies for different requests or utilizing anything
distributed such as botnet would  not increase the counter per IP address
significantly either.
For above reason the benefit of banning IP addresses can also be doubtful.
It is important to avoid banning legitimate users. Banning IP address after
several failed login attempts could  deny access to the large corporate
network sitting behind NAT in case of false positive. Tarpit sounds better
however.

But these are  only my theoretical thoughts.  I would really be happy to
find out more about real implementations even if they are not perfect.

br
Aurelijus

On Tue, Sep 20, 2016 at 6:42 AM, Rogan Dawes <rogan at dawes.za.net> wrote:

> From a detection perspective, how is an attacker doing a horizontal brute
> force attack (most commonly defined as checking all users for a single
> common password) different from an attacker checking a list of users and
> passwords?
>
> I can't see any difference myself.
>
> You monitor login attempts, increment failed logins per user, increment
> failed logins per ip address, and lock out or ban (or tar pit) once
> thresholds are exceeded.
>
> Rogan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160920/704be37d/attachment.html>


More information about the OWASP-Leaders mailing list