Brute force attacks
|This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected.|
A brute force attack is an attempt to gain access by systematically trying passwords or keys on accounts. One password may be tried on many accounts or many passwords can be used on one account. Brute force attacks on your deployment may come from one IP address (single source brute force attack) or multiple IP address (distributed brute force attack).
Single source brute force attack
In a single source brute force attack, multiple attempts to log in are coming from a single IP address. To detect this, in the URL Length Analysis dashboard use statistics to discover lots of small messages. Set the Standard Deviation to "3" or to view only the outliers. Look for numbers of small messages in the search result. This can indicate repeated attempts to log in.
Find the the source IP address for these messages. Click on one of these small messages to see the results in the Search dashboard. In the Interesting Fields panel, click on
src to see the source for these messages. Notice if there is one source or more than one source for these messages. If there is a single IP address for the source, this would be a single source brute force attack. If there are multiple addresses, it would be a distributed brute force attack.
- Create an alert for this IP address.
- Assign an Enterprise Security analyst to identify any systems compromised by the source.
- Assign an administrator to block the IP address at the firewall.
Distributed brute force attack
In a distributed brute force attack the attempts to gain access are coming from a variety of different IP addresses.
This type of attack uses a "bot" or compromised host system (part of a botnet) to try one or two logins from a single IP address before moving on. Then another IP address from the botnet tries a new login. The IP address may reappear, but only after awhile. This tactic defeats some of the simple rate-based triggers for protection ("alert after x number of failures").
The botnets only try very specific SSH servers, not every one. The solution for this type of attack is to use a blacklist.
- Add a blocklist to Enterprise Security.
Blocked traffic from unknown source
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1