DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • AI: The Future of HealthTech
  • Building an ETL Pipeline With Airflow and ECS
  • Big Data Development and Its Value to the World
  • GraphQL Revisited: Adoption in Blockchains

Trending

  • LTS JDK 21 Features
  • Next.js vs. Gatsby: A Comprehensive Comparison
  • Automated Testing: The Missing Piece of Your CI/CD Puzzle
  • AI for Web Devs: Project Introduction and Setup
  1. DZone
  2. Data Engineering
  3. Big Data
  4. How To Stop Brute force Password Attack Using Splunk

How To Stop Brute force Password Attack Using Splunk

Sachin Joshi user avatar by
Sachin Joshi
·
Oct. 19, 14 · Interview
Like (0)
Save
Tweet
Share
7.04K Views

Join the DZone community and get the full member experience.

Join For Free
Use of brute force techniques have been common for long time. This is also one of the most popular techniques to hack large number of online accounts. There have been many security breaches using brute force attacks. 
Any website with user authentication is vulnerable to such attack. Many online businesses and user information is affected with recent security attacks. 
A systematically run attack can easily be run without being noticed by firewalls and other security tools.  
The information obtained by such attacks is misused by the hacker to commit frauds. Many times very sensitive information such as social security number can be leaked through such attacks and serious identity theft crime can be performed. 
Unfortunately. stopping these attacks is not easy since attackers are smart people too. A good deal of analysis needs to be manually performed before successfully differentiating an attack from genuine transaction. Most organization employ dedicated security teams to stay protected from such threats.
In this article we are trying to demonstrate a technique that can be used to partially automate the detection of brute force attacks using Splunk log analysis. 
This technique can help you prevent your system in near real time. You may also prefer to use graph database technique  for stopping such an attack in real time. 

What is a Brute Force Attack?

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. An attacker or script tries many different password and credential combinations in rapid succession, and so many connections are made to the targeted service. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.

What is Splunk? How It can Help?

Splunk is a powerful tool that makes big data analytics easier. Splunk can help you capture and search through you log data in near realtime. It uses map reduce technology to analyze big data in really short period of time. In short, it can help you analyze your un-structured log data to understand your application usage.    Splunk has really powerful query language to detect patterns in the data. The queries can be easily used to setup alerts that can notify you about a ongoing (suspected) activity.  

Pre-requisite

I am assuming that you have a splunk setup that is indexing you application log files. Setting up a splunk system is complex and may take some time. In case you do not have a running system you may want to try the splunk in cloud sandbox for a quick start.

Prepare The log file with required information Splunk can help you detect a attack only if you have sufficient information to analyze the transaction. Below are some details you must log in splunk logs files. 
  • Client IP Address (Making sure its real client IP address not load balancer or proxy)
  • Login Attempt Success or Failure information.
  • Time stamp

Setting Up The Log Fields & Send Data To Splunk

Splunk is really smart at figuring out fields if they are logged in a specific format. If you log some data in "fieldName=value" pattern than you can easily search splunk for specific values of a a field. For this article we are going to use three fields Field Name CLIENT_IP will be used to log client IP address. So an entry for IP 1.2.3.4 in your application log file should look like this

  CLIENT_IP=1.2.3.4   

Field Name LOGIN_ATTEMPT will be used to log success or failure of login attempt. So an entry for login success in your application log file should look like this 

  LOGIN_ATTEMPT=S    

and an entry for login failure in your application log file should look like this 

  LOGIN_ATTEMPT=F   

The timestamp is always available in splunk at the field name _time, so we can use it.

Setup Search Queries On Splunk

A simple query below should display all failed login attempts on splunk console. 

index=MyApplicationIndex LOGIN_ATTEMPT=F 

Now we need to identify the suspicious transactions that are coming from same IP address.  

index=MyApplicationIndex LOGIN_ATTEMPT=F CLIENT_IP=* minutesago=1 | stats count by CLIENT_IP | search count>1000 

This query is going to return the results for the client IP addresses that have failed login attempts more than 1000 times within 1 minute. 

The two important parameters in this query  

Time range : We have specified it using minuteago=1 that means we are looking for only data in last 1 minute.  You can tweak this value based on your application usage.  

Number of failed attempts : The count>1000 is going to filter all the IP addresses that have failed transaction less than 1000 times. You can tweak this value based on your application usage.  The values for number of failed attempts and time range needs to be analyzed based on the application transaction volume.  You may need to see through all genuine transactions and come up with the right values for these parameters.

Setup Alerts

Splunk alerts are easy to setup. You can convert any query into a alert by following simple steps described in this video for static search alerts. 

  •   How To Set Up Splunk Alerts 

Now you can create a alert based on above query to notify through an email or take an action by running a script.

Take Actions

The actions for stopping brute force attack can be as easy as running a script to block an IP address that seems malicious. Be caucus is doing it immediately. I would recommend you to use email alerts for initial few days and understand the pattern. Once you are sure about malicious behavior take strong actions in a automated manner.

Testing Our Setup

I do not believe in concepts until they are thoroughly tested and proved working fine. To make sure your setup is working fine you must perform some fake brute force attacks on your application and use above mentioned technique to diagnose the attack using Splunk. To perform a simulated brute force attack you may refer this documentation by OWASP :     Testing For Brute Force Attacks

Summary

Keeping your online system secure is a heavy investment and not everyone can afford it.  In recent past, many small businesses and startups have created great products with poor security, ending up with serious exploitation of user information.  I hope this article provides you some basic idea of brute force attack detection using splunk. There are many organizations already using this technique for detecting similar attacks. How are you using Splunk in your organization?

Big data application Database

Published at DZone with permission of Sachin Joshi. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • AI: The Future of HealthTech
  • Building an ETL Pipeline With Airflow and ECS
  • Big Data Development and Its Value to the World
  • GraphQL Revisited: Adoption in Blockchains
Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: