What is a Brute Force Attack?
Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. An attacker or script tries many different password and credential combinations in rapid succession, and so many connections are made to the targeted service. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.
What is Splunk? How It can Help?
Splunk is a powerful tool that makes big data analytics easier. Splunk can help you capture and search through you log data in near realtime. It uses map reduce technology to analyze big data in really short period of time. In short, it can help you analyze your un-structured log data to understand your application usage. Splunk has really powerful query language to detect patterns in the data. The queries can be easily used to setup alerts that can notify you about a ongoing (suspected) activity.
I am assuming that you have a splunk setup that is indexing you application log files. Setting up a splunk system is complex and may take some time. In case you do not have a running system you may want to try the splunk in cloud sandbox for a quick start.Prepare The log file with required information Splunk can help you detect a attack only if you have sufficient information to analyze the transaction. Below are some details you must log in splunk logs files.
- Client IP Address (Making sure its real client IP address not load balancer or proxy)
- Login Attempt Success or Failure information.
- Time stamp
Setting Up The Log Fields & Send Data To Splunk
Splunk is really smart at figuring out fields if they are logged in a specific format. If you log some data in "fieldName=value" pattern than you can easily search splunk for specific values of a a field. For this article we are going to use three fields Field Name CLIENT_IP will be used to log client IP address. So an entry for IP 220.127.116.11 in your application log file should look like this
Field Name LOGIN_ATTEMPT will be used to log success or failure of login attempt. So an entry for login success in your application log file should look like this
and an entry for login failure in your application log file should look like this
The timestamp is always available in splunk at the field name _time, so we can use it.
Setup Search Queries On Splunk
A simple query below should display all failed login attempts on splunk console.
Now we need to identify the suspicious transactions that are coming from same IP address.
index=MyApplicationIndex LOGIN_ATTEMPT=F CLIENT_IP=* minutesago=1 | stats count by CLIENT_IP | search count>1000
This query is going to return the results for the client IP addresses that have failed login attempts more than 1000 times within 1 minute.
The two important parameters in this query
Time range : We have specified it using minuteago=1 that means we are looking for only data in last 1 minute. You can tweak this value based on your application usage.
Number of failed attempts : The count>1000 is going to filter all the IP addresses that have failed transaction less than 1000 times. You can tweak this value based on your application usage. The values for number of failed attempts and time range needs to be analyzed based on the application transaction volume. You may need to see through all genuine transactions and come up with the right values for these parameters.
Splunk alerts are easy to setup. You can convert any query into a alert by following simple steps described in this video for static search alerts.
Now you can create a alert based on above query to notify through an email or take an action by running a script.
The actions for stopping brute force attack can be as easy as running a script to block an IP address that seems malicious. Be caucus is doing it immediately. I would recommend you to use email alerts for initial few days and understand the pattern. Once you are sure about malicious behavior take strong actions in a automated manner.
Testing Our Setup
I do not believe in concepts until they are thoroughly tested and proved working fine. To make sure your setup is working fine you must perform some fake brute force attacks on your application and use above mentioned technique to diagnose the attack using Splunk. To perform a simulated brute force attack you may refer this documentation by OWASP : Testing For Brute Force Attacks
Keeping your online system secure is a heavy investment and not everyone can afford it. In recent past, many small businesses and startups have created great products with poor security, ending up with serious exploitation of user information. I hope this article provides you some basic idea of brute force attack detection using splunk. There are many organizations already using this technique for detecting similar attacks. How are you using Splunk in your organization?