Password brute force

Started by Matty, November 24, 2020, 08:12:47

Previous topic - Next topic

Matty

Query:

Are there sufficient internet connected devices to simultaneously attempt to log in to a password protected account using a coordinated brute force method such that no device gets a 'too many attempts' outcome for their ip address?

blinkok

I think attempts are counted on the server

Qube

With that method it would be a DDOS at the very least and even if you could do that then any half decent system will block the login ( regardless of IP ) as it's clearly under attack.
Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.

Derron

if you talk about your own scripted login system: then yes, is possible.
If you talk about server logins etc? fail2ban will kick you out after a handful of tries.

If you had a static IP you could even limit logins to "whitelisted" ("allowlisted") IPs - but this is risky.
You could do that if you had eg 2 other servers (not attacked) which you allow to connect to the other server. Now you could login into these servers and from there log in into the "secured" server.

And instead of allowing "bruteforce" one should in these cases consider having some strong encrypted SSH key to login (default is 3k bit encryption but you can go up to 16k). That is then ... not so easy to bruteforce.


bye
Ron

Matty

Interesting.

So if the goal was to deny access to legitimate users rather than gain access the cluster of devices worldwide could repeatedly attempt access from many ips to accounts.

Eg if a foreign entity wished to target a bank's customers they could trigger a host of Internet connected devices to target the logins of that bank's customer accounts and faul to get in but cause those logins to become janmed shut.

Derron

??
Think I did not understand you properly.


if IPs spam YOUR service ... they spam and spam until they get in
if IPs spam an easily secured thing (eg ssh secured by fail2ban) then THESE IPs get into a "jail" (so are blocked for X time), they do not even come to try to login, they are blocked "before" (so less CPU is used)

More "current" technology is surely something you experienced multiple times:
try to log into your amazon, paypal, ... account from a different city, or via mobile. You most probably cannot login but have to verify first (via mail ... kind of one time "two factor authentification").
This way it is harder for attackers to even trying to "login" (assume Russian hacker vs French user).

For this geo locating IPs has to work properly, or "provider identification".
Problems might arise if you use some of the "free wifi" organization hardware - eg some here in Germany are automatically routing every traffic through Sweden (avoids legal issues if someone shares copyrighted stuff...). That way you are prone to get such "verify first" messages :)


But these systems ...they are smart now - you do not get a mail for every "automated login attempt" - they might even present the information on the website first ("click here to send a verification mail"). Else you could easily spam around to various users.

They also check your browser and so on - this way they can "rate" your login visit and if it reaches a certain value ... the system reacts :D.


For our "low scale" servers even "login tries" can be problematic ... if you think of "ddos". For this most often IP ranges are blocked. Most users (eg "German Website -> German users") will still be able to use the website but "foreign" IPs can be temporary blocked.

Qube is doing such stuff (range blocking) I think ... which is why some people here who come from Russia have trouble to even register.


bye
Ron

Matty


RemiD

this would not happen on a "secure" website nowadays because, after a few failed attempts to login, the website would ask for either to solve a capcha or to confirm identity using a phone number (call or text message with a code), or using a secondary email address.

what Derron said...