Password Guessing Attack
128
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
VOL. 9,
NO. 1, JANUARY/FEBRUARY 2012
Revisiting Defenses against Large-Scale Online Password Guessing Attacks
Mansour Alsaleh, Mohammad Mannan, and P.C. van Oorschot, Member, IEEE
Abstract—Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address largescale online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals. Index Terms—Online password guessing attacks, brute force attacks, password dictionary, ATTs.
Ç
1 INTRODUCTION
NLINE guessing
O
attacks on password-based systems are inevitable and commonly observed against web applications and SSH logins. In a recent report, SANS [20] identified password guessing attacks on websites as a top cyber security risk. As an example of SSH passwordguessing attacks, one experimental Linux honeypot setup has been reported [18] to suffer on average 2,805 SSH malicious login attempts per computer per day (see also [8]). Interestingly, SSH servers that
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
VOL. 9,
NO. 1, JANUARY/FEBRUARY 2012
Revisiting Defenses against Large-Scale Online Password Guessing Attacks
Mansour Alsaleh, Mohammad Mannan, and P.C. van Oorschot, Member, IEEE
Abstract—Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address largescale online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals. Index Terms—Online password guessing attacks, brute force attacks, password dictionary, ATTs.
Ç
1 INTRODUCTION
NLINE guessing
O
attacks on password-based systems are inevitable and commonly observed against web applications and SSH logins. In a recent report, SANS [20] identified password guessing attacks on websites as a top cyber security risk. As an example of SSH passwordguessing attacks, one experimental Linux honeypot setup has been reported [18] to suffer on average 2,805 SSH malicious login attempts per computer per day (see also [8]). Interestingly, SSH servers that