Brute Force Hacking: Why IP Banning Isn’t Enough
The bane of all popular content Management Systems is that they’re targeted by the community of hackers. Within this community, there are ethical hackers as well as those that prefer the “dark side” of hacking. Thanks to the availability of brute force password cracking tools, anyone with no particular talent can join in. Here is a post on Reddit.com where a hacker is asking for advice from the hacking community on acquiring password cracking software.
The ubiquitous nature of this type of software and the simplicity of the method, makes brute force hacking very popular. It is crude but it will work when done continuously on a mass scale. The automated software will operate tirelessly 24/7 on its task.
Software is also used to harvest large lists of target websites, often seeking out sites that exhibit the “foot prints” typical of popular content management systems. Once the login page of the victim’s site is found, the software proceeds to try out multiple password combinations that are often based on huge lists of common passwords. While common usernames such as “admin” are used, many hackers have methods of ascertaining the site owner’s true username.
One common countermeasure employed against brute force attacks is to ban the IP address of any person or robot that makes more than a certain number of failed log in attempts. After this limit is exceeded, further log in attempts by anyone from the banned IP address will be rejected. There are plugins available that automatically perform this IP banning process. People using these will look at the logs of failed brute force attempts and breathe a sigh of relief that they now have an impregnable defense.
This feeling of security is only valid if the number of banned IP’s occurring on a daily basis are relatively small. If the plugin is banning hundreds or even thousands of IP addresses every day, then any feeling of security is an illusion.
Why is that? Because the plugin is only limiting the number of attempts from each IP rather than stopping attacks altogether. Suppose the plugin is set at 5 failed attempts before an IP is banned, then if brute force attacks occur from 30,000 unique IP addresses each day (people actually do experience this kind of attack frequency), then that’s 5 x 30,000 = 150,000 tries at guessing your password every single day.
That is the innate flaw of banning IP addresses. In order for this method to work, it must allow a number of break in attempts to occur first. IP banning is “leaky.” If hackers throw attacks at your login page from enough unique IP addresses, they can score a sizable amount of guesses at your password every single day.
IP banning is no substitute for a very strong password. It won’t protect someone who is using their daughter’s birth date as a password. If you have security questions of your own, don’t hesitate to contact us.
