Brute force attacks use strength rather than cunning to infiltrate a network. These attacks will use all methods systematically until the target has been infiltrated. They can be carried out either on- or off-line; on-line being the most common. On-line attacks are carried out usually by hackers trying to discover a network password (commonly using an alpha-numeric dictionary attack). Off-line attacks occur less often as the hacker must first posses, then decrypt a file (a Unix password file, for example).
Brute force attacks according to a 2015 McAfee report are only in second place behind denial of service, accounting for 25% the total number reported. Sites such as WordPress are typical targets; the purpose of such exploits is to gain control and place exploit kits to search for vulnerability in visitors’ systems and attack them. The other motive for such attacks can be to gain personal data from a specific target, access financial details, or to introduce malware (such as ransomware) either directly into the specific system – or to use the compromised machine/network covertly as part of a botnet.
Recognizing an attack
Often, an on-line brute force attack will go unnoticed, though there are signs to watch for. The most obvious is large numbers of failed log-ins from the same IP address. But, if the hacker is using a botnet, then there will be a great number of different IP’s. Failed log-ins using multiple different user names can be an indicator, especially if they are common, weak ones that some users default to: ‘123456’, ‘password’, etc – these will be tried by the hacker first. With an automated dictionary attack, the user names or passwords will be alphabetically sequential. Another method is for the hacker to extract a referring URL from the mail of someone else who has been hacked (this will look something like: http://user:password@www.example.com/login.html ).
Defence against brute force attacks
There are ways to deter such attacks. Account log-ins can be locked after so many unsuccessful attempts – this will slow down the attackers (in 2014, Apple’s iCloud failure to employ locking led to a brute force attack that distributed private celebrity photos). Setting the delay of re-try time is also a way to slow the hackers, in a network situation this will give system administration more time to discover and attack is underway. In addition to this, IP addresses can be locked-out after a failed number of log-in attempts (though if the attack is by a botnet, then this will not work because of the multiple IP’s).
Using the above indicators as a basis for real-time log analysis, a tool called OSSEC can be used. It’s an open-source threat detection system that can sometimes recognize an attack and either block it, or warn the Administrator.
The force is with us
Security experts predict that brute force attacks will become even more prevalent in the future. They can now be launched using botnets that only accelerate attacks. Adding to the strength that this gives the hacker are facilities such as scalable grid and cloud architectures which can provide vast additional computing power at an realistic price. The battle is definitely joined.
