This time we will learn about the Authentication Denial Of Service (DOS) Attack on web
application.
Above screenshot is the typical login page for any web
application, the user will be allowed to login to the application only if they have correct
credential to it, if they don’t have one they can’t access the
content, but the hacker breaks into the application by using some tools by
either guessing the login credentials or by brute forcing.
In order to improve the security on these applications, most
of the developers these days have a practice of adding a feature to lock the
account if the password or username was typed incorrectly more than 3 or 5
consecutive attempts, which is good.
By taking advantage of this feature, the hackers can cause
denial of service (DOS), so the legitimate user can’t access the application.
Let me tell you how this is possible with an example.
Hacker’s main aim is to cause interruption to the end user,
so let us assume you are now trying to login to your company outlook email account/OWA
and the hacker wants to stop you from using it. How do you think a hacker would
do this?
That is too much work for the hacker, and he doesn’t want to spend time on doing this.
By bringing down the exchange server either by doing DOS/DDOS or by breaking into the sever remotely?
You remember, the main of the hacker is to just to deny you
or all your fellow colleagues from accessing the email application.
The hacker just needs to know your user id that you use to
login to the email application to achieve this attack.
The next question is, how he can get the user's id. Most of the
companies setup their employees email id by using their Firstname and Lastname
in certain format
Example:
The hackers can these days get the mail id very easy
through many other ways, I just mentioned one such way here.
Ok, now the hacker has your user id and now he needs to find
your mail server IP, which is also he can find out easily by just doing the
port scanning on your company network, if the attacker is internal this job is
very easy for him he will be already aware of the web link as he is one of the
legitimate user.
Now he opens the web site to login to the mail and he types
your user id and some random password and he tries to login as many times he
can until the server return the error messages saying your account has been
locked due to several incorrect login attempts.
Now when you about to login with your correct login
credential, the server will reject your request saying your account has been
locked and contact the administrator. Job done, the attacker had achieved what
he needs. So for a period of time you can’t access your email account and that
means your production is down and this will create loss to your company.
Imagine if the hackers has the entire employee’s user id in
your company, all he needs to do is enter all the user id in a text file and
some random characters in the password field in another txt file and he can go
ahead and automate this process using some tool to attempt a login using those
text files and within few minutes the attacker has caused DOS to all the
legitimate user.
Above is one tool where you can try doing this attack and
the attacker can sit behind the proxy and initiate this attack so he will not
be traced back.
How to stop this happening?
This is bit tricky to address this issue, you can’t remove
this security feature completely otherwise the hacker will start to do the
bruteforce attack to find your password. Since the application you need to
access is legitimate, we can’t close the ports on the network, to stop the attacker accessing the page. One thing you can
try is by giving the access only to the users within your office network.
Hang
on, but how about the internal attacker he can still carry on his attack. Yes, you are correct he
can do this attack still, so how can we stop the account get blocked.
You can use CAPTCHA, for those who doesn’t know what it is,
this is nothing but a computer generated random character or numbers or image, you may
have seen this on few other websites like Yahoo, Hotmail etc...
As I said before the rule is setup by the application
developer, so he can introduce this before your account gets locked out on the
5th attempt.
Example rule will be like, challenge the user to enter
the CAPTCHA string after the 3rd failed attempt, by this way the
attacker can’t use the commonly available automated tool to login to the
application by this way the account isn’t locked and the attacker has to
attempt this manually to progress this attack any further.
Along with this security feature, the company needs to
implement an alert system, by sending alert to the user’s secondary device. For
example, sending an SMS to the user saying the account is been authenticated
incorrectly 3 times or simply sending an email to the SOC team saying too many
attempts had taken place for the user ID Bob.Alice@companyname.com by doing
this the SOC team analyst can monitor the packets flowing through the network
and they can either block the incoming packets or try to trace back the
attacker.
This is only suitable for the larger organisation which has
dedicated team to monitor the network; small companies really can’t use this as
prevention, so this is a huge threat to the organisation.
I would like to hear from you, if there are any other
methods to prevent this type of DOS attack.
No comments:
Post a Comment