Security pages‎ > ‎

Authentication Attacks and Countermeasures

Authentication is the process of proving and validating identity. Authenticated users have access to resources based on their identity. The following table lists common attacks directed at the authentication process.

Attack Characteristics
Brute force A brute force attack is a method of defeating a password by exhaustively working through all possibilities in order to find the password. In a brute force attack, the attacker:
  • Captures some form of password caching.
  • Attacks the cache file offline with a brute force attacker.
Dictionary A dictionary attack refers to the technique of trying to guess a password by running through a list of words from a dictionary. Often symbols and upper and lower case characters are substituted inside the dictionary work. It contrasts to a brute force attack in which all possibilities are tried. The dictionary attack works because users often choose easy-to-guess passwords. A strong password policy is the best defense against dictionary attacks.
Password sniffing Password sniffing is an attempt to intercept passwords passing over a computer network. Typically software programs are used to capture packets on the network. The attacker then analyzes the packets to determine which ones contain passwords. Encryption provides the best protection from sniffing attacks. Technologies such as SSL, SSH, and IPSEC provide a level of protection beyond traditional network layout and design countermeasures.
Spoofing Spoofing is used to hide the true source of packets or redirect traffic to another location. The most common form of spoofing on a typical IP packet is modification of the source address. In this way, the correct source device address is hidden. Spoofing attacks:
  • Use modified source and/or destination addresses in packets.
  • Can include site spoofing that tricks users into revealing information.

Countermeasures to prevent spoofing are:

  • Implement firewall and router filters to prevent spoofed packets from crossing in to or out of your private secured network. Filters will drop any packet suspected of being spoofed.
  • Use certificates to prove identity.
  • Use reverse DNS lookup to verify the source e-mail address.
  • Use encrypted communication protocols, such as IPSec.
  • Ingress and egress filters are the most effective protection against IP packet spoofing. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. These filters will examine packets based on rules to identify any spoofed packets. Any packet suspected of being spoofed on its way into or out of your network will be dropped.
Man-in-the-middle Man-in-the-middle attacks are used to intercept information passing between two communication partners. Man-in-the-middle attacks are:
  • An attacker logically placed between the client and server. The client is fooled into authenticating to the attacker.
  • Both parties at the endpoints believe they are communicating directly with the other, while the attacker intercepts and/or modifies the data in transit. The attacker then authenticates to the server using the intercepted credentials.
  • Commonly used to steal credit cards, online bank credentials, as well as confidential personal and business information.

Countermeasures for man-in-the-middle attacks are:

  • Use encrypted communication protocols, such as IPSec.
  • Use certificates.
  • Perform mutual authentication.
  • PKI
Replay In a replay attack, an attacker intercepts and records messages. The captured traffic is used at another time to try and recreate authentication. Countermeasures for replay attacks are:
  • Packet time stamps.
  • Packet sequencing.
Hijacking Hijacking is an attack in which the attacker steals an open and active communication session from a legitimate user (an extension of a man-in-the-middle attack).
  • The attacker takes over the session and cuts off the original source device.
  • The TCP/IP session state is manipulated so that the attacker is able to insert alternate packets into the communication stream.

Countermeasures for hijacking are:

  • IPSec or other encryption protocols.
  • Certificate authentication.
  • Mutual authentication.
  • Randomizing sequencing mechanisms.
  • Packet time stamps.
  • Packet sequencing.

Countermeasures for attacks on authentication are:

  • Implement a strong password policy.
  • Retain password history to prevent re-use.
  • Use of multifactor authentication.
  • Use strong sequence numbering systems.
  • Utilize timestamps on frames to defeat the replay attack.
  • Audit for excessive failed logon attempts.
  • Monitor the network or system for sniffing and password theft tools.
  • Implement account lockout to lock accounts when multiple incorrect passwords are used.

Suggestions for strengthening passwords are:

  • Require that passwords:
    • Contain multiple character types: uppercase, lowercase, numbers, and symbols.
    • Are a minimum length of eight characters or more.
    • Use no part of a username or e-mail address.
  • Avoid dictionary, slang, or acronyms.
  • Change passwords every 30 days.