Will Using A Form Key Stop Brute Force Attacks?

  • (2 Pages)
  • +
  • 1
  • 2

20 Replies - 2995 Views - Last Post: 12 August 2013 - 12:04 PM Rate Topic: -----

#1 adn258   User is offline

  • D.I.C Addict

Reputation: 12
  • View blog
  • Posts: 816
  • Joined: 31-August 11

Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 01:31 AM

So most of the time well done brute force attacks involve a program written to keep guessing many passwords every second. On my login forms and what not I use a form key which changes every time the page loads. The key has to match on the script or they won't be logged in etc. This ensures that someone indeed DID visit the page and a machine isn't just guessing over and over again.

I'm talking about using something like this
http://net.tutsplus....with-form-keys/

That said I'm assuming using just that wouldn't be foolproof since a hacker can keep the form keys in session, but I would assume this would slow things way down right?

Is This A Good Question/Topic? 0
  • +

Replies To: Will Using A Form Key Stop Brute Force Attacks?

#2 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3825
  • View blog
  • Posts: 13,939
  • Joined: 08-August 08

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 03:34 AM

It looks to me like that would stop a "man in the middle" attack, but not a brute force attack that read the html form every time and posted all the "hidden" data. This is why captchas are used.
Was This Post Helpful? 1
  • +
  • -

#3 AdaHacker   User is offline

  • Resident Curmudgeon

Reputation: 463
  • View blog
  • Posts: 820
  • Joined: 17-June 08

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 08:35 AM

View Postadn258, on 09 August 2013 - 04:31 AM, said:

That said I'm assuming using just that wouldn't be foolproof since a hacker can keep the form keys in session, but I would assume this would slow things way down right?

It might slow things down a little and stop the really stupid bots, but you're correct - it is by no means fool-proof. In fact, if you're concerned about brute-force attacks on your login page, this is basically no protection at all. Just look at the top of the linked article - this meant as a defense against XSS and CSRF attacks. It's most relevant after the user has already logged in.

View PostCTphpnwb, on 09 August 2013 - 06:34 AM, said:

This is why captchas are used.

The problem with captchas is that, even at their best, they offer a bad user experience and so should be used sparingly. Putting one on a login page is like a big thumb in the eye to users. They would be more appropriate for things like sign-up forms that are harder to protect in other ways. A better solution for brute-force login attempts is to simply block logins to the affected account for X minutes after Y failed login attempts. Simply put, you can't effectively brute-force an account if you only get, say, 10 tries per hour.
Was This Post Helpful? 1
  • +
  • -

#4 adn258   User is offline

  • D.I.C Addict

Reputation: 12
  • View blog
  • Posts: 816
  • Joined: 31-August 11

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 08:37 AM

adahacker but there's one problem with that idea....mass lockout of users if a malicious hackers wants to start guessing password. What could end up happening is thousands are locked out of their accounts for no reason. The only other thing you can do is lockout based on IP AND number of failed attempts but malicious users can simply keep changing their IP and if you only use an hourly block those IP's can then all be used again after an hour.

I created my own ask a simple question CAPTCHA that works VERY WELL at stopping this problem. It's a great idea for some of my "professional sites" where people have personal information stored etc. but on just for fun sites it's a bit of a pain I agree...there doesn't appear to be any good set in stone solution for this problem if you think about it.

This post has been edited by adn258: 09 August 2013 - 08:51 AM

Was This Post Helpful? 0
  • +
  • -

#5 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4241
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 09:58 AM

Actually, there is one fairly good way to deter brute-force attacks. It's the same reason why algorithms like Bcrypt and PDKDF2 are preferred over old fashion hashes these days: They take a long time to be calculated. - Of course, that's not exactly a great idea for login forms and such; to be doing computationally expensive tasks to delay them. Rather, you could be using other means to make sure brute-force attacks can't be carried out hundreds of times per second. The key to thwarting brute-force attacks is to make it unbearably slow. The trick is not making it so slow your normal users will be affected.

Consider a system where login attempts are queued, and the system will only allow one to be processed per second. (Overall, not per session.) So any normal user login will happen almost instantly, because you won't be getting more than one normal user login attempt per second. (Unless you've got a LOT of users, in which case just lower the delay time to more fitting value.) But if a brute force attack is carried out, instead of the system getting immediate results, it's having to wait a second for each result. Brute-forcing passwords on that system will take forever, even if the attacker is using multiple IP address; even if it's an entire bot-net coordinated to brute-force you from multiple sources.

You could even modify this to make it more difficult, specifically for brute-force attackers. Limit the total queue size, refusing to add more than, say, thirty queued login attempts total. (You could use client-side coding to hide busy queues from normal users.) You could even do some limiting factors based on IP addresses, like de-prioritizing items in the queue from IP addresses that already have an earlier entry.
Was This Post Helpful? 1
  • +
  • -

#6 adn258   User is offline

  • D.I.C Addict

Reputation: 12
  • View blog
  • Posts: 816
  • Joined: 31-August 11

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 11:05 AM

View PostAtli, on 09 August 2013 - 09:58 AM, said:

Actually, there is one fairly good way to deter brute-force attacks. It's the same reason why algorithms like Bcrypt and PDKDF2 are preferred over old fashion hashes these days: They take a long time to be calculated. - Of course, that's not exactly a great idea for login forms and such; to be doing computationally expensive tasks to delay them. Rather, you could be using other means to make sure brute-force attacks can't be carried out hundreds of times per second. The key to thwarting brute-force attacks is to make it unbearably slow. The trick is not making it so slow your normal users will be affected.

Consider a system where login attempts are queued, and the system will only allow one to be processed per second. (Overall, not per session.) So any normal user login will happen almost instantly, because you won't be getting more than one normal user login attempt per second. (Unless you've got a LOT of users, in which case just lower the delay time to more fitting value.) But if a brute force attack is carried out, instead of the system getting immediate results, it's having to wait a second for each result. Brute-forcing passwords on that system will take forever, even if the attacker is using multiple IP address; even if it's an entire bot-net coordinated to brute-force you from multiple sources.

You could even modify this to make it more difficult, specifically for brute-force attackers. Limit the total queue size, refusing to add more than, say, thirty queued login attempts total. (You could use client-side coding to hide busy queues from normal users.) You could even do some limiting factors based on IP addresses, like de-prioritizing items in the queue from IP addresses that already have an earlier entry.


I was thinking about doing this man and this is a good point. The thing is a lot of cheesy forums and what not on the internet suggest using something like sleep(1) which I don't even think would help because correct me if I'm wrong while it technically delays things 1 second every time the form is submitted it essentially by constantly submitting guess password even with sleep being used you're just adding to the list of (things to do later) but they will still happen.

In other words if I can submit the form 1 billion times each one of those requests will take one second before they are executed but all the events will still be done. So essentially I'm telling the server to eventually try a password 1 billion times with a small delay (this does nothing if you think about it no matter how large the sleep delay is if I UNDERSTAND THIS CORRECTLY.

So for example if there is a form with a 1 hour sleep delay, if I keep submitting the script it might take an hour for the first submit, and an hour and 2 micro-seconds for the next etc. etc. but essentially in about an hour thousands of tries will be tried against the server in a brute force attack. Essentially sleep is silly and not helpful for this solution right?

So moving on to "test for bots" so to speak you can simply store in a database the last time() of a submit for the login form. If it's less then say 2 seconds you can simply just deny die() the request altogether and output a message or something. The thing is that no user would likely be able to normally submit something that fast unless they were using a program or a bot for brute force attacks.

Correct me if I'm wrong about this, and my line of thinking is wrong about sleep etc.? Am I correct?
Was This Post Helpful? 0
  • +
  • -

#7 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3825
  • View blog
  • Posts: 13,939
  • Joined: 08-August 08

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 11:31 AM

The idea is that if you submit a form a billion times it the login will only be attempted a preset number of times. The rest will be denied without checking the credentials. I actually wrote a tutorial on this a while back that might be useful to you.

By the way, you could modify my tutorial (which uses ip addresses) to be per user id. The only downside I can see is that some one could write a script to deny another user access to their own account. ;)

This post has been edited by CTphpnwb: 09 August 2013 - 11:27 AM

Was This Post Helpful? 1
  • +
  • -

#8 adn258   User is offline

  • D.I.C Addict

Reputation: 12
  • View blog
  • Posts: 816
  • Joined: 31-August 11

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 12:18 PM

View PostCTphpnwb, on 09 August 2013 - 11:31 AM, said:

The idea is that if you submit a form a billion times it the login will only be attempted a preset number of times. The rest will be denied without checking the credentials. I actually wrote a tutorial on this a while back that might be useful to you.

By the way, you could modify my tutorial (which uses ip addresses) to be per user id. The only downside I can see is that some one could write a script to deny another user access to their own account. ;)/>


Thanks CTPWeb I will code a similar class to handle this, but my point was that using the sleep function in PHP is worthless for this even though you see this being incorrectly applied as a solution time and time again all over the web to try and stop brute force attacks. I am correct this idea is absolutely wrong right?
Was This Post Helpful? 0
  • +
  • -

#9 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3825
  • View blog
  • Posts: 13,939
  • Joined: 08-August 08

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 07:49 PM

You're correct. Sleeping a php script doesn't prevent a bot from running it multiple times on multiple requests, so while each might be delayed they'll all be delayed over roughly the same time period.
Was This Post Helpful? 1
  • +
  • -

#10 adn258   User is offline

  • D.I.C Addict

Reputation: 12
  • View blog
  • Posts: 816
  • Joined: 31-August 11

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 09 August 2013 - 08:36 PM

Thanks Ctph
Was This Post Helpful? 0
  • +
  • -

#11 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4241
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 10 August 2013 - 08:14 PM

View Postadn258, on 09 August 2013 - 07:05 PM, said:

I was thinking about doing this man and this is a good point. The thing is a lot of cheesy forums and what not on the internet suggest using something like sleep(1) which I don't even think would help ...

Yep, like CT says, it's pretty useless by itself.

After my post the other day, I kind of got motivated to test out the queuing idea, since I've never really used it before, and it worked out pretty well. I put it up in a tutorial if you are interested.
Was This Post Helpful? 0
  • +
  • -

#12 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3825
  • View blog
  • Posts: 13,939
  • Joined: 08-August 08

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 11 August 2013 - 06:57 AM

View PostAtli, on 10 August 2013 - 11:14 PM, said:

After my post the other day, I kind of got motivated to test out the queuing idea, since I've never really used it before, and it worked out pretty well. I put it up in a tutorial if you are interested.

Very nice tutorial. I think you could improve it though. If you added a user name field to the login_attempt_queue table you could set up queues for individual user names. Then if there's an attempt to access one user account it wouldn't slow everyone else any more than normal.
Was This Post Helpful? 0
  • +
  • -

#13 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4241
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 11 August 2013 - 08:06 AM

Thanks. My original version of the code would have supported that, though I didn't think to try it. It used a CLI script to process the queue, rather than having each individual request process their own, so I had to store both the username and password in the queue table. That approach was more reliable; the timing was more accurate, and it also made it easy to do individual queues.

I can definitely see the benefit of having individual queues for each user, but my concern is that an intelligent brute-force hack may not be targeting just one user. If they figure out that each users is being delayed individually, it wouldn't be hard to start brute-forcing multiple users in parallel. It wouldn't really increase their chances of finding credentials for any particular user, but would increase they chances of finding any user credentials.

What I've been considering, in order to improve the queue wait time during a brute-force attack, is a single queue entry per user limit. No normal user will be trying to do two login attempts at once, so this would just prevent a brute-force hacker from queuing up multiple requests for the same user. Any duplicate user entry would be dropped with a 503 code.
Was This Post Helpful? 0
  • +
  • -

#14 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3825
  • View blog
  • Posts: 13,939
  • Joined: 08-August 08

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 11 August 2013 - 11:46 AM

I was thinking that each user name would be delayed 1 second per login attempt, so brute forcing any particular user would still end up being unreasonably long but other users would only see a 1 second delay. I could be wrong, but I think the way you have it now would cause everyone to wait for a brute force attack to finish before they could login.
Was This Post Helpful? 0
  • +
  • -

#15 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4241
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: Will Using A Form Key Stop Brute Force Attacks?

Posted 11 August 2013 - 12:31 PM

Yes, the way I did it there was designed to allow only one login attempt at a time overall. You are right that splitting the queue into individual user queues would improve the speed. My concern is just that it also allows an attacker to attack multiple users at a time, albeit unbearably slow per user. I'm probably being overly cautious here.

It's also worth considering that if your server is currently being bombarded by an attacker, it'll be unbearably slow for everybody regardless of how you split the queue. There are only so many active HTTP workers, and if some hacker out there is tying up all of them with queued login attempts, even if it's just for a single user, other users won't really have much chance of getting in.

It may be a good idea to add a ceiling on the number of items that are allowed to be in the queue, and return 503 codes for each attempt beyond that. At least like that you can leave a few HTTP workers free to deal with normal requests.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2