Blocking IP after x unsuccessful login attempts?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
josamoto
Forum Commoner
Posts: 41
Joined: Fri Aug 24, 2007 6:57 am
Location: South Africa
Contact:

Blocking IP after x unsuccessful login attempts?

Post by josamoto »

I am building a login system for Flex with PHP + CodeIgniter + AMFPHP in the server side backend.

I want to enable my system to allow each user to have only 5 opportunities to login. And 5 failed attempts, his IP must be blocked for 15 minutes, whereafter he can login again.

The problem is, there are ways around this.

I can try blocking them by:
a) session id
b) ip address

...but

a) ...can be tricked by simply restarting the browser, thus creating a new session.
b) ...can be tricked by using proxies and techniques I don't even know about, not even to mention ISP's that give dynamic IP addresses.

What is the best way to detect IP addresses (or at least identify specific PC's) from visitors, and how can I blacklist specific computers from logging in.

Thanks
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by VladSun »

You can't - I would advice you to use CAPTCHA.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
josamoto
Forum Commoner
Posts: 41
Joined: Fri Aug 24, 2007 6:57 am
Location: South Africa
Contact:

Re: Blocking IP after x unsuccessful login attempts?

Post by josamoto »

I think CAPTCHA might be a good idea. I think CodeIgniter has a helper library for using it.

I suppose for the restricted number of attempts allowed, I'll just have to rely on kicking the user out of the main page with a nice polite message once he's reached his limit of failing to login.

I certainly do hope I can achieve the 15 minute time limit blockout. I know this is possible as I once used a forum that kicked my out after I couldn't guess my long forgotten password after 3 turns. I had to reset it in the old end.

Also, using .htaccess, Apache has a way of blocking specific IP's permanently, but then again, taking into consideration that an IP address might change at any time, it's not worth while.

Thanks for the reply, I was hoping for a few more opinions, so please do post. :)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by VladSun »

You *can* use $_SESSION for this, but it'll protect you only against "ordinary" users. Any attacker will clean the session before next attempt (most probably he'll use a script, not a browser).

Another approach is to track IP activities (e.g. in DB), but it will not protect you against proxies.

Also, Apache mod_evasive might be useful.

EDIT: Yes, CI has a CAPTCHA class, although I think it "scrambles" it in a weak way - a simple erosion filter would remove the "background", while keeping the CAPTCHA text present.
Last edited by VladSun on Thu May 22, 2008 6:25 am, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
Bruno De Barros
Forum Commoner
Posts: 82
Joined: Mon May 12, 2008 8:41 am
Location: Ireland

Re: Blocking IP after x unsuccessful login attempts?

Post by Bruno De Barros »

@josamoto, I block the whole access to the account and email the user warning him that his account was blocked for 15 minutes, in case he tries to login and finds out his account is blocked. This avoids any of the IP/Session problems.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by VladSun »

Bruno De Barros wrote:@josamoto, I block the whole access to the account and email the user warning him that his account was blocked for 15 minutes, in case he tries to login and finds out his account is blocked. This avoids any of the IP/Session problems.
:) And why are you doing this? An attacker tries to brute-force an user account and you block it?!? It means that the attacker has performed successful DOS attack ;)
I don't think it's a good idea.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by Mordred »

+1 for what VladSun says.
After several wrong attempts, include a good CAPTCHA challenge on the login form.

(What is a good CAPTCHA? Ask one who breaks them: http://libcaca.zoy.org/wiki/PWNtcha)
(It's a bit dated, but offers a good overview on which captchas are easy to beat. When you choose a system, make sure you do your homework to see if it's been beaten lately)
Bruno De Barros
Forum Commoner
Posts: 82
Joined: Mon May 12, 2008 8:41 am
Location: Ireland

Re: Blocking IP after x unsuccessful login attempts?

Post by Bruno De Barros »

hehe Hadn't thought of it that way... Serves the purpose of the bruteforcing not working, but creates a DOS.

Another solution, maybe, besides a CAPTCHA:
Include a hidden form field with a random string of data, that changes at every request, and is kept in the session data. That way, a bruteforcer would have to download the page every time he tried a new pass, which would be extremely slow. Besides, the bruteforcer would have to accept and send session data.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by Mordred »

(not session, but cookie data)
Both things are trivial, and no protection against bots. Do some research on automating HTTP requests to see what is possible and what not.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by VladSun »

Another attack vector:
I don't know exactly how your "blocking" script works, but *maybe* it can be used to enumerate usernames on your site - if you block access only for existing users.
There are 10 types of people in this world, those who understand binary and those who don't
Bruno De Barros
Forum Commoner
Posts: 82
Joined: Mon May 12, 2008 8:41 am
Location: Ireland

Re: Blocking IP after x unsuccessful login attempts?

Post by Bruno De Barros »

@Mordred

I didn't talk about cookies because the session ID can be passed with cookies, as an argument on the URL or using trans_sid (which I don't know how it works).

They might be trivial, but I've done some bruteforcing research myself, and I've made tools to bruteforce in C++, and it's slow (meaning it would take millenia) to send a POST request and wait for the response. It's even slower to get a page, process the hidden input field, send a POST request and wait for the response. Because you can't stop bruteforcing. You can slow it down, at the most.

My solution ISN'T, and I never said or intended to say it was, a perfect solution. It's a solution that slows bruteforcers down, and it doesn't harm the end-user at all. We could use this, along with your CAPTCHA solution. This is just brainstorming. Getting ideas. Some work, others don't. That's why people discuss things.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by Mordred »

Bruno De Barros wrote:@Mordred
I didn't talk about cookies because the session ID can be passed with cookies, as an argument on the URL or using trans_sid (which I don't know how it works).
In that case, when you said "Besides, the bruteforcer would have to accept and send session data." it sounds like nonsense. The SID (not session data!) is passed in the URL or a cookie, which from the point of view of the bruteforcer is the same thing.
Bruno De Barros wrote: They might be trivial, but I've done some bruteforcing research myself, and I've made tools to bruteforce in C++, and it's slow (meaning it would take millenia) to send a POST request and wait for the response. It's even slower to get a page, process the hidden input field, send a POST request and wait for the response. Because you can't stop bruteforcing. You can slow it down, at the most.
So, you've made a slow and ineffective tool and you conclude that it can't be done faster and better? I'm sorry, the reality is different. Yes, the idea of slowing the bruteforce is a key concept in protecting against it, but what you propose is merely slowing by a factor of two (not millenia, sorry) which is far from enough. We are not allowed to discuss (potentially) hacking tools here, but obviously you have done something very wrong with your tool.
Bruno De Barros
Forum Commoner
Posts: 82
Joined: Mon May 12, 2008 8:41 am
Location: Ireland

Re: Blocking IP after x unsuccessful login attempts?

Post by Bruno De Barros »

So, you've made a slow and ineffective tool and you conclude that it can't be done faster and better?
No, it can be done faster and better, but even attempting a million passwords per second, you'd take millenia to find the proper password (of course, that is if the last chance is the proper one... and all bruteforcing techniques calculate the remainder like that).
but what you propose is merely slowing by a factor of two (not millenia, sorry)
:lol: Duh... When I said millenia I was referring to the time it would take for the cracking of a password. Surely, if you use dictionary based attacks, etc, the time might be a lot smaller (if the guy used a weak password that can be guessed using a dictionary, it will be almost none), but that wasn't my point.
Bruno De Barros
Forum Commoner
Posts: 82
Joined: Mon May 12, 2008 8:41 am
Location: Ireland

Re: Blocking IP after x unsuccessful login attempts?

Post by Bruno De Barros »

Another idea:

Increase login wait time by a factor of 2. After X unsuccessful logins on that account, the user has to wait X*X*2 seconds until he is able to try another password. - Now that I think of it, I just saw the perfection of your CAPTCHA solution, Mordred. I mean, I know what a CAPTCHA is and all, but I thought after X unsuccessful logins by that IP. And that wouldn't work, because people could use proxies. But if it's X unsuccessful logins on an account... It doesn't bother the user much, and it stops bruteforcing properly.

I apparently misunderstood when you would apply your method ;). Sorry for the trouble.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Blocking IP after x unsuccessful login attempts?

Post by Mordred »

No need to apologise, the truth can be born only in dialogue.

On topic: when using measures for delaying a bruteforce attack, it is vitaly important to make them such as not to increase the load on the server itself. That's another way for looking at CAPTCHA: a task that is hard (i.e. computationally intensive) for the attacker, and trivial to check for correctness on the server. We also have the nice property that the real (human) client will not have to bear the full weight of the problem, as he will only have to solve it once.

Another solution with similar properties is to give the client (meaning the application, not the person) some other computational challenge - for example integer factoring. The real client will have to solve it once, the bruteforcer will have to do it many times, costing CPU/memory or other resources, which, when multiplied by the larger number of attempts needed will hugely increase the cost of the attack. Note that with a regular challenge-response, the only resource needed is bandwidth, here we also require CPU. Pity though, for web applications this would involve javascript, so it's not for everyone.

And the most important thing, which was omitted from the discussion so far is logging, BF detection and adequate aftermeasures.
Post Reply