Researchers Propose New Approach to Address Online Password-Guessing Attacks

Automated online password-guessing attacks, where adversaries try numerous combinations of usernames and passwords to try and break into accounts, have emerged as a major threat to Web service providers in recent years.

Next week, two security researchers will present a paper at the Network and Distributed System Security Symposium (NDSS Symposium) in San Diego that proposes a new, more scalable approach to addressing the problem.

The approach — described in a paper titled "Distinguishing Attacks from Legitimate Authentication Traffic at Scale" — is designed specifically to address challenges posed by untargeted online password-guessing attacks. These are attacks where an adversary distributes password guesses across a very large range of accounts in an automated fashion.

Such "breadth-first" attacks are typically a lot harder to address for a large organization than a more targeted "depth-first" attack, where an attacker might try lots of password guesses against a relatively small number of online accounts, the research paper noted.

The typical approach to addressing online password attacks currently is to block or throttle repeated guesses against an account. The approach can work in depth-first attacks but is not very effective when password guesses are distributed against a wide range of accounts, the researchers said. "At large providers with tens, or hundreds, of millions of accounts, breadth-first attacks offer a way to send millions or even billions of guesses without ever triggering the depth-first defenses," they noted.

Cormac Herley, principal researcher at Microsoft Research and primary author of the report, says the challenge for organizations is figuring out a way to reliably distinguish legitimate traffic from attack traffic. "The traffic at an authentication password server is an unknown mixture of traffic from good users and attackers," he says.

Each request contains a username, password, and other data, such as IP address and browser information. It can be hard to distinguish requests from legitimate users attempting to log into their accounts with those from attackers trying to guess their way in, especially when attack volumes are large, Herley says. Companies like Microsoft, for instance, detect several million credential attacks against its identity systems on a daily basis.

The way to address this problem starts with figuring out the percentage of traffic on the network that is benign and the percentage that is attack traffic. "This sounds hard but is actually easy," Herley says.

Both attackers and legitimate users can a fail a login attempt. "However, legit users fail maybe 5% or so of the time, while an attacker who is guessing fails [over] 99% of the time," he says.

Herley's research shows how organizations can use this fact to estimate the ratio of good to bad traffic among login requests. It shows how they can then use the estimate to identify the segments of traffic that contain the most attack traffic and the segments that have little or none. "Finding some portions that look clean allows us to learn what the traffic from legit users looks like so that we can punish traffic that deviates from that pattern more," Herley says.

The impetus for developing a new approach that addresses online password attacks was prompted by the lack of innovation in the area. Account lockout approaches have been recommended for a very long time, with little effort put into understanding how effective they really are, Herely says.

There's little science or analysis, for instance, to show that a single, fixed account lockout threshold — for example, after 10 failed guesses — can work equally well for small organizations and those with massive user bases, such as Microsoft and Google, he says.

"We concluded that this problem needed a ground-up, systematic approach instead of the rag-bag of heuristics that were much-used but little studied," Herley says. The approach described in the paper is pretty easy for organizations to implement, he adds, and hinges on their gathering the right statistics from incoming traffic.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.