Over a million developers have joined DZone.

How To Stop Brute force Password Attack Using Splunk

· Mobile Zone

Visually compose APIs with easy-to-use tooling. Learn how IBM API Connect provides near-universal access to data and services both on-premises and in the cloud, brought to you in partnership with IBM.

Use of brute force techniques have been common for long time. This is also one of the most popular techniques to hack large number of online accounts. There have been many security breaches using brute force attacks. 
Any website with user authentication is vulnerable to such attack. Many online businesses and user information is affected with recent security attacks. 
A systematically run attack can easily be run without being noticed by firewalls and other security tools.  
The information obtained by such attacks is misused by the hacker to commit frauds. Many times very sensitive information such as social security number can be leaked through such attacks and serious identity theft crime can be performed. 
Unfortunately. stopping these attacks is not easy since attackers are smart people too. A good deal of analysis needs to be manually performed before successfully differentiating an attack from genuine transaction. Most organization employ dedicated security teams to stay protected from such threats.
In this article we are trying to demonstrate a technique that can be used to partially automate the detection of brute force attacks using Splunk log analysis. 
This technique can help you prevent your system in near real time. You may also prefer to use graph database technique  for stopping such an attack in real time. 

What is a Brute Force Attack?

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. An attacker or script tries many different password and credential combinations in rapid succession, and so many connections are made to the targeted service. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.

What is Splunk? How It can Help?

Splunk is a powerful tool that makes big data analytics easier. Splunk can help you capture and search through you log data in near realtime. It uses map reduce technology to analyze big data in really short period of time. In short, it can help you analyze your un-structured log data to understand your application usage.    Splunk has really powerful query language to detect patterns in the data. The queries can be easily used to setup alerts that can notify you about a ongoing (suspected) activity.  


I am assuming that you have a splunk setup that is indexing you application log files. Setting up a splunk system is complex and may take some time. In case you do not have a running system you may want to try the splunk in cloud sandbox for a quick start.

Prepare The log file with required information Splunk can help you detect a attack only if you have sufficient information to analyze the transaction. Below are some details you must log in splunk logs files. 
  • Client IP Address (Making sure its real client IP address not load balancer or proxy)
  • Login Attempt Success or Failure information.
  • Time stamp

Setting Up The Log Fields & Send Data To Splunk

Splunk is really smart at figuring out fields if they are logged in a specific format. If you log some data in "fieldName=value" pattern than you can easily search splunk for specific values of a a field. For this article we are going to use three fields Field Name CLIENT_IP will be used to log client IP address. So an entry for IP in your application log file should look like this


Field Name LOGIN_ATTEMPT will be used to log success or failure of login attempt. So an entry for login success in your application log file should look like this 


and an entry for login failure in your application log file should look like this 


The timestamp is always available in splunk at the field name _time, so we can use it.

Setup Search Queries On Splunk

A simple query below should display all failed login attempts on splunk console. 

index=MyApplicationIndex LOGIN_ATTEMPT=F 

Now we need to identify the suspicious transactions that are coming from same IP address.  

index=MyApplicationIndex LOGIN_ATTEMPT=F CLIENT_IP=* minutesago=1 | stats count by CLIENT_IP | search count>1000 

This query is going to return the results for the client IP addresses that have failed login attempts more than 1000 times within 1 minute. 

The two important parameters in this query  

Time range : We have specified it using minuteago=1 that means we are looking for only data in last 1 minute.  You can tweak this value based on your application usage.  

Number of failed attempts : The count>1000 is going to filter all the IP addresses that have failed transaction less than 1000 times. You can tweak this value based on your application usage.  The values for number of failed attempts and time range needs to be analyzed based on the application transaction volume.  You may need to see through all genuine transactions and come up with the right values for these parameters.

Setup Alerts

Splunk alerts are easy to setup. You can convert any query into a alert by following simple steps described in this video for static search alerts. 

Now you can create a alert based on above query to notify through an email or take an action by running a script.

Take Actions

The actions for stopping brute force attack can be as easy as running a script to block an IP address that seems malicious. Be caucus is doing it immediately. I would recommend you to use email alerts for initial few days and understand the pattern. Once you are sure about malicious behavior take strong actions in a automated manner.

Testing Our Setup

I do not believe in concepts until they are thoroughly tested and proved working fine. To make sure your setup is working fine you must perform some fake brute force attacks on your application and use above mentioned technique to diagnose the attack using Splunk. To perform a simulated brute force attack you may refer this documentation by OWASP :     Testing For Brute Force Attacks


Keeping your online system secure is a heavy investment and not everyone can afford it.  In recent past, many small businesses and startups have created great products with poor security, ending up with serious exploitation of user information.  I hope this article provides you some basic idea of brute force attack detection using splunk. There are many organizations already using this technique for detecting similar attacks. How are you using Splunk in your organization?

The Mobile Zone is brought to you in partnership with Strongloop and IBM.  Visually compose APIs with easy-to-use tooling. Learn how IBM API Connect provides near-universal access to data and services both on-premises and in the cloud.


Published at DZone with permission of Sachin Joshi. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}