So you have decided to start developing your brute force prevention system and you have decided to take my advice. You are going to use a database to keep up with failed authentication requests (instead of a Session) and you have chosen the IP address as the only identifier. You have decided to block the IP address from being able to make authentication requests after there has been X failed login attempts from that IP. Unfortunately, what you may not know is that you are setting yourself up for an additional brute force prevention mistake.
By using the IP as the only identifier you are setting yourself up for a new type of attack against your website. This attack is known as Denial of Service (DoS). To understand how someone can purposely or accidentally perform a DoS on your website with IP blocking in place, you must first understand Network Address Translation (NAT). NAT is a computer networking process that allows multiple hosts on a network to access the internet via a single IP address. This is a very common practice among many businesses, universities, government facilities, etc. With this in mind, lets look at a real world example:
Lets say that you are a local bank and and you are developing brute force prevention with IP blocking for your online banking services. Many of your local customers are students at the local University. The students take advantage of your free checking and other banking services. Most of these students live on campus and use computers on campus to access their online banking services. The Information Technology department at the University also uses NAT on their network to avoid the cost and complications of reserving public IP addresses. A few days after you implement the new brute force prevention for your bank website you start getting a flood of phone calls from thousands of angry students who are unable to access their online banking services. It is clear that you are experiencing a Denial of Service attack. What happened?
Scenario 1 (Accidental): A student realizes that he may have bounced a check and he runs into a computer lab on campus to login to his online banking services. He attempts to login a few times with no success. He tries one last time and receives a message from the site that that he has been blocked for to many failed login attempts. Your website blocks the IP of the request. Unfortunately, this is the same IP that all computers on campus use when accessing the internet due to NAT and thus you have now blocked the entire campus (DoS) from being able to access the site.
Scenario 2 (Malicious): A visitor on campus finds a computer that has been left logged in and uses it to access the internet. He visits www.whatismyip.com which quickly returns the NAT’ed IP address of the campus. He then writes down this IP for safe keeping. He returns home (off campus) and decides to use IP Spoofing techniques to perform a DoS attack on your bank website. By using IP Spoofing he can make authentication attempts on the website while making it look like it is coming from the NAT’ed IP address of the campus. This also conceals his identity. After a few failed attempts he receives a message that he has been blocked for to many failed login attempts. Your website blocked the IP of the malicious request. Unfortunately, this is the same IP that all computers at the local University use when accessing the internet due to NAT and thus you have now blocked the entire campus (DoS) from being able to access the site.
As you can see, Blocking the IP can definitely be a brute force attack prevention mistake.
Solution: Don’t use the IP as the only identifier. All authentication attempts must be made with a username and a password. This means that you could store failed attempts in your database based on the IP address and the username. If you receive X failed attempts for a given username from a given IP then block authentication requests for that username from that IP. This will ensure that you are only blocking what is absolutely necessary to protect your system from a brute force attack. This will also keep you from being vulnerable to a DoS attack due to the common use of Network Address Translation (NAT). Please keep in mind that this technique will allow the attacker to try a few attempts on multiple accounts. However, this attack will not result in a successful brute force as long as you have implemented strong passwords coupled with simple authentication responses.
PS: When you block authentication requests, you may block the actual owner of the account. This can happen if a user forgets their password and makes to many failed login attempts. With this being said, you must provide a way for the actual owner to unlock the account. Remember, you are trying to protect the user’s account from a brute force attack while still providing them a service. We will be taking a look at this and more common mistakes in upcoming posts.