Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Using Time Binding Parameters to Detect a Brute Force Attack

    The time binding constraint requires the pattern to occur a certain number of times within a minute in order for the traffic to be considered a match.

    You can use the time binding parameter along with the signature to detect signs of a brute force attack. A user changing her password is a harmless event, and is normally seen occasionally on the network. However, thousands of password changes in a minute is suspicious.

    In a brute force attack, the attacker attempts to break through system defenses using sheer force, typically by overwhelming the destination server capacity or by repeated, trial-and-error attempts to match authentication credentials. In a brute force login attack, the attackers first gather a list of usernames and a password dictionary. Next, the attacker uses a tool that enters the first password in dictionary for the first user in the list, then tries every password for every user until it gets a match. If the attacker tries every combination of usernames and passwords, they always succeed. However, brute force attacks often fail because the password dictionary is typically limited (does not contain all possible passwords) and the attack tool does not perform permutations on the password (such as reversing letters or changing case).

    In this example, you create a signature attack object that detects an excessive number of password changes for users authenticated via HTTP (a Web-based application).

    First, you configure an attack pattern:


    Figure 1 shows the Custom Attack – Attack Pattern page for this example.

    Figure 1: Brute Force Attack Pattern

    Image g036660.gif

    In this expression:

    • The dot star combination (.*) indicates a wildcard match.
    • The backslash before a character indicates that the character represents a regular expression and must be escaped. In this case, the character is an opening bracket. The backslash is also used in this expression before the file extension marker (the dot) and before the closing bracket.
    • The name of the cgi script that is used to change user passwords is included, as well as the cgi extension.
    • For context, select HTTP-URL-PARSED from the list because you are attempting to detect password changes that occur for Web-based applications. The changepassword.cgi script, when used, appears as part of the URL, but you need to tell the IDP Series device to parse the URL in order to find the name.

    Next, you configure time binding. Figure 2 shows the time binding settings for this example.

    Figure 2: Brute Force Time Binding

    Image g036664.gif

    In these settings:

    • Scope is set to Peer so the attack pattern can match the event regardless of source or destination.
    • Count is set to high number (to 1000) to avoid false positives. This value means that the changepassword.cgi script must appear in a URL 1000 times before the attack object is matched.

    Published: 2011-02-08