Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How To Stop Brute force Password Attack Using Splunk

DZone's Guide to

How To Stop Brute force Password Attack Using Splunk

· Mobile Zone
Free Resource

Get gorgeous, multi-touch charts for your iOS application with just a few lines of code.

Use of brute force techniques have been common for long time. This is also one of the most popular techniques to hack large number of online accounts. There have been many security breaches using brute force attacks. 
Any website with user authentication is vulnerable to such attack. Many online businesses and user information is affected with recent security attacks. 
A systematically run attack can easily be run without being noticed by firewalls and other security tools.  
The information obtained by such attacks is misused by the hacker to commit frauds. Many times very sensitive information such as social security number can be leaked through such attacks and serious identity theft crime can be performed. 
Unfortunately. stopping these attacks is not easy since attackers are smart people too. A good deal of analysis needs to be manually performed before successfully differentiating an attack from genuine transaction. Most organization employ dedicated security teams to stay protected from such threats.
In this article we are trying to demonstrate a technique that can be used to partially automate the detection of brute force attacks using Splunk log analysis. 
This technique can help you prevent your system in near real time. You may also prefer to  use graph database technique  for stopping such an attack in real time. 

What is a Brute Force Attack?

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. An attacker or script tries many different password and credential combinations in rapid succession, and so many connections are made to the targeted service. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.

What is Splunk? How It can Help?

Splunk is a powerful tool that makes big data analytics easier. Splunk can help you capture and search through you log data in near realtime. It uses map reduce technology to analyze big data in really short period of time. In short, it can help you analyze your un-structured log data to understand your application usage.    Splunk has really powerful query language to detect patterns in the data. The queries can be easily used to setup alerts that can notify you about a ongoing (suspected) activity.  

Pre-requisite

I am assuming that you have a splunk setup that is indexing you application log files. Setting up a splunk system is complex and may take some time. In case you do not have a running system you may want to try the splunk in cloud sandbox for a quick start.

Prepare The log file with required information Splunk can help you detect a attack only if you have sufficient information to analyze the transaction. Below are some details you must log in splunk logs files. 
  • Client IP Address (Making sure its real client IP address not load balancer or proxy)
  • Login Attempt Success or Failure information.
  • Time stamp

Setting Up The Log Fields & Send Data To Splunk

Splunk is really smart at figuring out fields if they are logged in a specific format. If you log some data in "fieldName=value" pattern than you can easily search splunk for specific values of a a field. For this article we are going to use three fields Field Name CLIENT_IP will be used to log client IP address. So an entry for IP 1.2.3.4 in your application log file should look like this

  CLIENT_IP=1.2.3.4   

Field Name LOGIN_ATTEMPT will be used to log success or failure of login attempt. So an entry for login success in your application log file should look like this 

  LOGIN_ATTEMPT=S    

and an entry for login failure in your application log file should look like this 

  LOGIN_ATTEMPT=F   

The timestamp is always available in splunk at the field name _time, so we can use it.

Setup Search Queries On Splunk

A simple query below should display all failed login attempts on splunk console. 

index=MyApplicationIndex LOGIN_ATTEMPT=F 

Now we need to identify the suspicious transactions that are coming from same IP address.  

index=MyApplicationIndex LOGIN_ATTEMPT=F CLIENT_IP=* minutesago=1 | stats count by CLIENT_IP | search count>1000 

This query is going to return the results for the client IP addresses that have failed login attempts more than 1000 times within 1 minute. 

The two important parameters in this query  

Time range : We have specified it using minuteago=1 that means we are looking for only data in last 1 minute.  You can tweak this value based on your application usage.  

Number of failed attempts : The count>1000 is going to filter all the IP addresses that have failed transaction less than 1000 times. You can tweak this value based on your application usage.  The values for number of failed attempts and time range needs to be analyzed based on the application transaction volume.  You may need to see through all genuine transactions and come up with the right values for these parameters.

Setup Alerts

Splunk alerts are easy to setup. You can convert any query into a alert by following simple steps described in this video for static search alerts. 

Now you can create a alert based on above query to notify through an email or take an action by running a script.

Take Actions

The actions for stopping brute force attack can be as easy as running a script to block an IP address that seems malicious. Be caucus is doing it immediately. I would recommend you to use email alerts for initial few days and understand the pattern. Once you are sure about malicious behavior take strong actions in a automated manner.

Testing Our Setup

I do not believe in concepts until they are thoroughly tested and proved working fine. To make sure your setup is working fine you must perform some fake brute force attacks on your application and use above mentioned technique to diagnose the attack using Splunk. To perform a simulated brute force attack you may refer this documentation by OWASP :     Testing For Brute Force Attacks

Summary

Keeping your online system secure is a heavy investment and not everyone can afford it.  In recent past, many small businesses and startups have created great products with poor security, ending up with serious exploitation of user information.  I hope this article provides you some basic idea of brute force attack detection using splunk. There are many organizations already using this technique for detecting similar attacks. How are you using Splunk in your organization?

.Net developers: use Highcharts, the industry's leading interactive charting library, without writing a single line of JavaScript.

Topics:

Published at DZone with permission of Sachin Joshi. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}