The document discusses recommendations for preventing brute force attacks. It defines a brute force attack as using an automatic process to determine a password or username through all possible combinations. It recommends using CAPTCHAs rather than delaying login attempts, as delays can overload servers with sleep processes and hackers can bypass delays using multiple virtual IPs. CAPTCHAs are a better technique for distinguishing humans from computers to avoid overwhelming servers with attack traffic.

1. Recommendations on the
Brute Force Attack
Ahmad Karawash
PhD in Technology of Information, Book Editor,
CCA, Latece, ACM & IEEE member
12/17/2015 1

2. Definition
A Brute Force attack is a method or an algorithm to determine a
password or user name using an automatic process.
12/17/2015 2

3. Way of work
• A Brute Force Attack simply uses the cryptography algorithm.
• hackers know that the password and user name are stored in a
database.
• when we attempt to login and our page request is sent from the
server to the client machine hackers are more active to access the
account.
• they attempt all possible combinations to unlock it.
• There is a computer program that runs automatically to get the
password.
12/17/2015 3

4. Role of key combination and length in
the password
12/17/2015 4

5. Tool Hacking Example
12/17/2015 5

6. Real Hack Example: Wordpress
12/17/2015 6

7. Blocking of Brut force Attack
• Locking Account
• Delay the login process
• Block the hacker IP
• CAPTCHAs Code Use
12/17/2015 7

8. Locking Account
• if a user attempts a wrong password many times then the user's
account will be blocked for a given time of period.
• Ex: outlook accounts are locked after a wrong password tries.
• Drawbacks:
• If an attacker attempts a Brute Force Attack on many accounts then a Denial
of Services (DOS) problem emerges.
• If a attackers want to lock an account then he continues to hit that account
and the resultant admin is again locked from the account.
12/17/2015 8

9. Delay the login process
• Increasing time delay for login to stop bruteforcing
• Example:
• Time_nanosleep(0, (50000000*$failed_attempts));
• More attempts a hacker uses to guess a password, more time does it take to
check every time. After checking a 100 passwords he must wait 5 sec
between each try.
• Drawback:
• You should try not to use Sleep() because it uses CPU cycles, and if you have a
brute force attack from 10,000 IP addresses you will fork 10,000 sleep() child
process or threads, this will cause load on your server.
12/17/2015 9

10. Delay the login process
• Drawbacks:
• Haytham Douaihy, Senior software engineer at Sword Group: “You should try
not to use Sleep() because it uses CPU cycles, and if you have a brute force
attack from 10,000 IP addresses you will fork 10,000 sleep() child process or
threads, this will cause load on your server”.
• There are a lot of companies developing protection tools based and
benefit from the brute force strategy to sell there own protection
softwares. Tools examples: Aircrack-ng, John the Ripper, Rainbow
Crack, Cain and Abel, …etc
12/17/2015 10

11. Example Delay code, reduce the number of guessed login attempts
possible by a hacker from thousands per minute down to only a few before the delay becomes so
long as to make it a pointless exercise, after 20 failed login attempts the delay is 6 days!
[HttpPost]
public async Task<ActionResult> Login(LoginViewModel viewModel, string returnUrl)
{
// incremental delay to prevent brute force attacks
int incrementalDelay;
if (HttpContext.Application[Request.UserHostAddress] != null)
{
// wait for delay if there is one
incrementalDelay = (int)HttpContext.Application[Request.UserHostAddress];
await Task.Delay(incrementalDelay * 1000);
}
if (!ModelState.IsValid)
return View();
// authenticate user
var user = _userService.Authenticate(viewModel.Username, viewModel.Password);
if (user == null)
{
// login failed
// increment the delay on failed login attempts
if (HttpContext.Application[Request.UserHostAddress] == null)
{
incrementalDelay = 1;
}
else
{
incrementalDelay = (int)HttpContext.Application[Request.UserHostAddress] * 2;
}
HttpContext.Application[Request.UserHostAddress] = incrementalDelay;
// return view with error
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View();
}
// login success
// reset incremental delay on successful login
if (HttpContext.Application[Request.UserHostAddress] != null)
{
HttpContext.Application.Remove(Request.UserHostAddress);
}
// set authentication cookie
_formsAuthenticationService.SetAuthCookie(
user.Username,
viewModel.KeepMeLoggedIn,
null);
// redirect to returnUrl
return Redirect(returnUrl);
}
12/17/2015 11

12. Block the hacker IP
• Simply block the IP address where the brute force attack comes.
• Some companies avoid to use this way because sometimes a user
might forget his password and tries to login several times. But the
result is that the server deal with him as a hacker and blocks his IP.
• Code Example:
Function block_ip($ip){
$deny = array(“$ip”);
If(in array ($_SERVER[‘REMOTE_ADDR’], $deny)){
Header(“HTTP/1.1 403 Forbidden”);
Exit();
}
}
12/17/2015 12

13. CAPTCHAs Code Use
• A CAPTCHA code is a technique by which we recognize a computer or
a human, by making some questions or images or numbers, the
answer of which is not submitted by the computer automatically.
• Most of the companies prefer this strategy to avoid bruteforce attacks
and avoid overwhelmed use of sleep() method that effect server
performance negatively.
12/17/2015 13

14. Recommendations
• Based on the research I have done and based on my security
experience, I recommend not to use the delay strategy but the
Captchas one.
• Sometimes you find the server weak, this because there are a lot of
brute force attacks and the servers CPU have to run a big number of
sleep(); functions.
12/17/2015 14

15. Recommendations
• Also, technically you can not avoid thousands of Login tries by
delaying the repeated ones from single IP that is because using cloud
nowadays hackers have the facilities to use thousands of virtual IPs.
• So if you publish your application on local server, its CPU is fully
loaded by sleep(); calls.
• And if you publish your application on the cloud, you might pay more
money.
12/17/2015 15

16. Recommendations
• [How to Stay in Control of Cloud Sites Resource Costs Overages
by Jereme Hancock | Aug 28, 2015 |]: “Brute force attacks against
unprotect contact forms or logins. Malicious attacks often target
login and contact forms in order to penetrate a site. Repeated,
constant attacks on unprotected sites drive up compute cycles as the
infrastructure processes each attempt. Many plugins are available to
provide contact form and login protection and can mitigate the
processing of illegitimate traffic. Captchas are very popular for
addressing this threat”.
12/17/2015 16

17. ?? @:
Ahmad.Karawash@gmail.com
12/17/2015 17