Brute force attacks are most common attacks on websites. This is the first approach any hacker takes to get maximum return on a hacking attempt. Every year thousands of online accounts are compromised using this technique.
The brute force attack is performed using a bot with weak password list. Most people like to use simple to guess passwords and these passwords are easily compromised by a simple bot. Read more about brute force attack here.
Though internet awareness is increasing, we still see a lot of reluctance towards strong password practices in users. Many users tend to use a strong password only for a banking site and keep simple passwords for non-banking accounts. However, this approach is not safe either since any account hacked will provide a professional hacker some clue about hacking your bank accounts or other financial accounts online.
So it is a big problem even if only your facebook account is hacked. It can make your other accounts more vulnerable since the hacker knows much more about you now. If you are not convinced, you may want to read some books on hacking and few more books on information security.
As a website owner, we must make sure to enforce strong password policy and tools are utilized to stop brute force attacks. This article is focused on one of many techniques to stop brute force (weak password based) attacks.
Why Memcached?
Memcached is a distributed caching solution. It provides a way to cache large data in memory using the sharding technique. The response time for Memcached is very fast since it stores all data in RAM. You can learn more about Memcached using these books.
To stop a brute force attack in real time you must rely on a solution that can respond in real time. Memcached is ideal for such situations provided you have enough memory available to the Memcached.
Its Shared
Memcached stores the data based on key sharding. Any data in Memcached is available to all servers provided they know the key for the data. Using Memcached will enable all your server to be able to access it.
It Is Distributed
Memcached is a distribute caching solution. You can add more memory to it by adding more nodes when required.
It Scales Well
Memcached is highly scalable, mainly due to distributed approach. It has been used in many highly scalable application for caching data.
It Can Store Large Number of Keys
Memcached can store a large number of keys (2^256) . This mainly due to its distributed nature. The size of Memcached can be increased by adding more nodes to the cluster.
How To Identify A Brute Force Attack?
Below are three simple ways you can identify brute force attack on your system using Memcached.
Use per user failed login attempt counts
The most important information in identifying brute force attacks is failed login attempts count. You must store it in Memcached for each user. Below are some key aspects to keep in mind when storing this information in Memcached.
- The failed login attempt count must be incremented after every failed login attempt.
- The failed login attempt count must be reset to zero after every successful login attempt.
- Keep a threshold of a maximum number of allowed attempts with the wrong password and once the threshold is reached take required action to stop the user from trying login again.
- You may choose to use a captcha or block user IP from trying login for few minutes.
Maintain A Weak Password Cache In Memcached
- Update your existing applications password policy to not allow weak passwords.
- Challenge a user after weak password attempt with captcha or other secondary response.
- Always log a weak password failed attempt in logs
- Take action when attack velocity increases.
What Actions To Take After Successful Detection
Now that we are able to detect a brute force attack is being attempted. You can take following actions based on the situation.
- The simplest and most common approach is to use a secondary challenge response. This includes solutions like captcha, secret questions or other input from the user in addition to the password.
- In case it is not easy to start doing seconding challenge response you may choose to block an IP address based on the detection. The IP blocking is usually not a very good idea since there are many users behind common IP addresses. You may have a false alarm due to too many numbers of people accessing your system.
- When doing IP blocking, try to do it time-based blocking. e.g. block a suspicious IP for a short duration (1 hour) and observe the behavior after that. If malicious behavior is observed constantly than increase the blocking time limit.