0

I am working with Bro IDS and CIF ( cyber threat intelligence) using the Intel framework I am testing.

How can I mitigate brute-force and dictionary-based attacks? I found that the mitigation with regard to brute-force takes more time compared to dictionary-based. I wonder if there is some difference between the mitigation process between brute-force and dictionary-based attacks for IPSs?

  • 2
    What do you consider to be the difference between a brute-force and a dictionary attack? In my world, they are basically the same. – schroeder Aug 31 '15 at 01:28
  • @schroeder: I would say brute force is by trying every single combination within the key-space, because you are literally brute forcing it. Dictionary attacks do not do this, they just try common words and variations thereof. Given an infinite amount of time brute force would be successful, whereas a dictionary attack would not. [Brute force](https://en.wikipedia.org/wiki/Brute-force_attack) can be defined as `systematically checking all possible keys`. – SilverlightFox Aug 31 '15 at 14:58
  • @SilverlightFox I'm very familiar with this. I'm asking if the Asker knows and how that understanding affects the answers he expects. A dictionary attack is by definition a subset of a brute-force attack. – schroeder Aug 31 '15 at 15:00
  • Yes, I also guess that brute-force and dictionary attacks should be the same, but I got different results for each one, e.g., the amount of events of authentication received by the victim before these packet are dropped by the IPS. Therefore i got confused. I am using Hydra tool for testing. Maybe, the rate of send of packets vary between brute-force and dictionary using Hydra, thus the mitigation time also vary. – Javier Richard Quinto Ancieta Sep 01 '15 at 07:20

3 Answers3

1

The terminology is not fully universal so I will detail my definitions:

  • A brute-force attack occurs in a situation where there is some secret value X that the attacker wishes to obtain, and the attacker can "test" whether a given potential value for X is the right one or not. So the attacker tries potential values until he hits the right one.

    Such an attack can be online or offline. In an offline attack, the "test" for a potential value is a computation that occurs solely on the attacker's computer. For instance, X is the key for an encryption system, and the attacker has at his disposition a message encrypted with key X, and the attacker knows enough on what the decrypted message should look like to unambiguously detect whether his current guess for X is the right one or not.

    When the attacker cannot run an offline attack, he must resort to an online attack: each test involves talking with the defender's systems (e.g. trying to log on the server). The attacker really prefers offline attacks because they are a lot more discreet (everything happens on the attacker's machine, without leaving any trace) and also because he can speed them up by throwing more hardware at the problem.

  • A dictionary attack is a special-case of a brute-force attack where the secret X is something "human-compatible": this is a value that a human user accepts to memorize and possibly chooses himself; typically, a password. The brute-force attack is then about trying out potential values, i.e. values which are simple enough for the human user to handle in his brain. The set of such values is called the dictionary because what humans choose and keep in their minds is usually words.

    There again, dictionary attacks can be offline or online.

    An important point to consider here is that when X is chosen by a human in his brain, then not all possible values for X are equiprobable: some words are a lot more likely to have been chosen by the user than others (i.e. a human password is much more often "dragonfly" than "kelxdparf", even though both are sequences of 9 lowercase letters). The dictionary is thus a list of guesses for a brute-force attack, ordered from most to least probable.


There are basically three ways to defeat brute-force attacks:

  1. Make it so that the space of potential values for X is large enough that the attack is doomed from start. E.g. specify that X is a sequence of 128 bits, and generated with a strong PRNG: since a strong PRNG is used, no sequence of 128 bits is more probable than any other, so there is no way for the attacker to optimize his search (there is no order of guesses that is better than others); and the space of possible 128-bit sequence is huge (it has 2128 = 340282366920938463463374607431768211456 elements) so the attacker's probability of hitting the right one within the next century is abysmally low.

  2. Make it so that no offline attack can be performed. This is not necessarily possible; e.g. in the case of a password-encrypted file, the attack context assumes that the attacker got a copy of the encrypted file and tries to crack it, in which case an offline attack is always possible. But if you can arrange for all attacks to be online, then you can apply countermeasures, e.g. refusing to talk to a given requester after 10 wrong guesses. An extreme case is a smart card, that requires a PIN code and locks itself after a few wrong guesses.

  3. If offline attacks cannot be avoided, then make it so that each guess is unavoidably expensive. This is the whole idea of password hashing. The processing of a given input is done through a function with many iterations, such that all usages are slowed. The concept is that taking 10 milliseconds to verify a password instead of 10 microseconds is normally no hardship for a server (because it does not have to do it many times per second anyway), but making each try 1000x more expensive will also make the brute-force attack 1000x more expensive. This is a trade-off: making password processing more expensive tends to imply increased fragility against denial-of-service attacks.


The main difference between "brute-force" and "dictionary" attacks is that when the secret is human-compatible (the dictionary attack context), then this also means that the space of possible values for the secret is awfully small. Human minds are simply not good at all at remembering complex values; there are even worse at making random choices. Thus, when a dictionary attack applies, the first defence method I explained above (extending the space size) is not possible. So you have to resort to one of the two others.

Avoiding offline dictionary attacks means using communication protocols and architectures that never expose anything that could be used as offline test for a potential value for the secret X. This is outside of the scope of IPS. What an IPS can do is to enforce rejection rules for the second method (mitigation of online attacks): a good IPS should be able to detect when many requests come from the same source, and efficiently block them upon entry.

In that sense, there is no real difference, for the IPS, between a dictionary attack and a non-dictionary brute-force attack. At best, we can say that brute-force attacks that are not dictionary attacks should be defeated through using large spaces for secret values (i.e. in cryptographic terms, for symmetric encryption, use 128-bit keys, not 40-bit keys), making IPS irrelevant.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
-1

How can I mitigate brute-force and dictionary-based attacks?

Use strong, complex passwords or even pass-phrases with many bits of entropy so that they won't be as susceptible to brute force/dictionary-based attacks.

I found that the mitigation with regard to brute-force takes more time compared to dictionary-based. I wonder if there is some difference between the mitigation process between brute-force and dictionary-based attacks for IPSs

I'm going to be straightforward and say No, I don't believe there will be a difference in mitigation between these two types of attacks as they're generally performed the same way or at least using extremely similar methods.

shift_tab
  • 423
  • 4
  • 13
-1

I love this topic, it's the biggest PITA in security.

Password Attacks

To start, lets sum this up into a single category. The goal of an attacker is to break passwords since this is what we commonly use. The term brute forcing a password stems from trying every conceivable possibility and there are two ways to do it, Online and Offline.

Online

Online attacks are straight forward, in web applications you are typically attacking a login form. The most common prevention method is to set a threshold and lock the accounts being attacked forcing manual administration to look at it.

Offline

This attack happens when a system has been compromised and the attacker has access to a database or password file. The common security measures here are password hashing and salting. (Think Ashley Madison)

Dictionary Attacks

Dictionary Attacks are a form of brute forcing. They are performed by using rainbow tables, which are dictionary based words and combinations which are common. This reduces the scope of an attack, because humans are flawed and lazy. This attack has been very successful.

Entropy

At this point you may be saying "I know this already, whats your point." Entropy is my point. Password effectiveness is all about randomness and the time it takes an attacker to guess a hashed password. Adding entropy as mitigation is why we have password policies like:

  • Minimum 8 Characters
  • Must contain an uppercase
  • Must contain a lowercase
  • must contain a number
  • Must contain a special character.

All these rules are adding entropy to your passwords and by extension adding mitigation techniques.

Shane Andrie
  • 3,810
  • 1
  • 13
  • 16