IP Addresses Now Useless for Blocking Brute Force Attacks

by Daniel Convissor at 2016-03-02 17:30:00

There's a new trend in brute force attacks. Most IP addresses are being used a single time. This renders IP address blocking useless.

Traditionally, criminals used a few (compromised) computers to wage brute force attacks against a given site. So security professionals and web masters have monitored IP addresses and set up rules to deny requests from bad actors.

But the increasing proliferation of root kits and sophistication of command and control software has meant attackers can consider each bot (kind of) disposable. They'll use a given computer for one shot, then move on to another computer for the next shot.

Here's an example. One of my sites received a steady stream of 3,496 bogus login requests over a 56 hour period (about 60 per hour) in early January, 2016. The attack came from 2,019 different IP addresses. 1,260 (36%) of the IP's were used only once. Just 3 addresses were used more than 10 times. The most used address only made 15 requests!

Filtering by the first two or three octets of the IP space doesn't get you anything either.

ItemQuantityUsed 1xUsed > 10xMaximum Used
Unique IPs2,0191,260315
Unique First 3 Octets1,651871917
Unique First 2 Octets7441917180
User Names3n/an/an/a

The attacker's control server picks three likely user names ("administrator", "admin", and the blog's name) and one password then tells three bots to try one combination. Then the control server picks another password and has three other bots try those combinations. Rinse and repeat.

I noticed this trend because I'm the author, and user, of the Login Security Solution WordPress plugin. Fortunately, LSS is set up to catch these kinds of attacks by monitoring any combination of IP address (including IPv6), user name, or password. All of the other brute force plugins I've looked at only watch for IP addresses.

Hmm.... Insert your favorite closing quip here by sending it to me on Twitter. :)

Tags: wordpress, security

View all posts

Email me a comment:

(I'll append it here when I get a chance.)