![]() ![]() ![]() An attacker can continuously, and automatically, lock out the same accounts, even immediately after the administrator unlocks them, effectively disabling the accounts.A massive account lockouts attack can overwhelm administrators or help desk with a flood of requests.It is not possible to lockout out an account that does not exist so, depending on the error response, an attacker can enumerate valid usernames.This type of application DoS could be worse than the brute force attack since a brute force attack may be practically exploitable only with accounts that have a weak password configured instead an application DoS could potentially prevent the access to a large number of users, including those ones who have correctly defined a strong password.īut this is not the only problem related to account lockouts since: ![]() Therefore, firewalls, routers, load balancers and other network appliances continues to work without any problem because no flood is coming at network level. However, despite this one solves the brute force problem it introduces a potential application denial of service (DoS), because an attacker can intentionally tries wrong passwords until the accounts are locked out.Īn application DoS differs from the classic DoS attack since it abuses the business logic of the application (so at OSI layer 7) to disrupt the service. There are a lot of web applications and plugins for the most used CMS that implement this easy and effective solution. This is an easy-to-implement and effective solution against brute force attacks, since the attacker cannot try all the combinations. As I said previously, one of the most recommended and developed solution is to implement an account lockout policy: for example, after three or five failed login attempts, the account is locked out until an administrator manually unlocks it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |