Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Brute force attacks

This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected.

A brute force attack is an attempt to gain access by systematically trying passwords or keys on accounts. One password may be tried on many accounts or many passwords can be used on one account. Brute force attacks on your deployment may come from one IP address (single source brute force attack) or multiple IP address (distributed brute force attack).

Single source brute force attack

In a single source brute force attack, multiple attempts to log in are coming from a single IP address. To detect this, in the URL Length Analysis dashboard use statistics to discover lots of small messages. Set the Standard Deviation to "3" or to view only the outliers. Look for numbers of small messages in the search result. This can indicate repeated attempts to log in.

Find the the source IP address for these messages. Click on one of these small messages to see the results in the Search dashboard. In the Interesting Fields panel, click on src to see the source for these messages. Notice if there is one source or more than one source for these messages. If there is a single IP address for the source, this would be a single source brute force attack. If there are multiple addresses, it would be a distributed brute force attack.


  • Create an alert for this IP address.
  • Assign an Enterprise Security analyst to identify any systems compromised by the source.
  • Assign an administrator to block the IP address at the firewall.

Distributed brute force attack

In a distributed brute force attack the attempts to gain access are coming from a variety of different IP addresses.

This type of attack uses a "bot" or compromised host system (part of a botnet) to try one or two logins from a single IP address before moving on. Then another IP address from the botnet tries a new login. The IP address may reappear, but only after awhile. This tactic defeats some of the simple rate-based triggers for protection ("alert after x number of failures").

The botnets only try very specific SSH servers, not every one. The solution for this type of attack is to use a blacklist.

  • Add a blocklist to Enterprise Security.

More info/ideas: http://ddos.arbornetworks.com/2008/12/distributed-ssh-brute-force-attacks/

Last modified on 14 April, 2014
Scenarios   Blocked traffic from unknown source

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters