What is a brute force attack?
A brute force attack is when a bad actor attempts a large amount of combinations on a target. These attacks frequently involve multiple attempts on account passwords with the hopes that one of them will be valid.
Every website eventually gets targeted by automated bots. Once attackers gain unauthorized access, they can totally destroy your business. Unless you’re protected by our Web Application Firewall (WAF), here’s what can happen after a brute force attack.
Get Started
Brute Force Attacks Features
Time delay
There’s often a time delay once access is gained, allowing traffic to die down and server logs to disappear, leaving no trace of the attacker. Some hosts only retain up to seven days of logs, and in some instances no more than 24 hours. If attackers wait long enough, they can log in whenever they like and website owners are none the wiser, making incident handling difficult.
Credential stuffing
Image file sizes get large and this is where a CDN can help your site speed. But first, make sure it can actually deliver images. If your site is full of images, it’s a good idea to include the best image CDN in your search.
Rainbow tables
Hackers who steal password databases originally have a list of encrypted passwords. Passwords should never be stored in plain text, but often the same two encryption methods are used (MD5 or SHA1). These algorithms are easily reversed, allowing the attacker to create precomputed rainbow tables that can match the encrypted output with the plain text password.
Dictionary & hybrid attacks
A basic brute force attack attempts to guess every possible combination of characters until access is granted. This method works quickly if the password is short, but can be exhausting with longer passwords. A dictionary attack use guesses using entire words, while a hybrid attack uses a combination of basic and dictionary attack techniques.
Password-cracking tools
A large selection of password-cracking tools can help attackers trying to break into your website. The tools have various modes to make the attack cover as much ground as possible. With computers able to guess passwords at hundreds of millions per second, so-called strong passwords are often crackable in under an hour of repeated attempts.
Reconnaissance
Most often, brute-force attacks are not targeted. But when they are, it’s even more dangerous. Attackers can use information about website administrators and users through phishing lures, online profiles, and previous password dumps associated with the user email address. From there, crackers can make custom rule-based attacks that leave you completely exposed.
How our WAF prevents brute force attacks
Our Web Application Firewall (WAF) detects fake browsers and bad bots, and then blocks them automatically. A strong correlation engine shuts down brute force attempts without affecting your good users. Here’s a look under the hood of our WAF.
Get Started
How the Sucuri firewall protects your site from brute force attacks
Signature detection
We employ a solution that uses heuristic and signature-based techniques. Incoming traffic is sanitized before reaching your website. If there are patterns matching a brute-force attack we block it before it ever reaches your website.
Bot & scan blocking
When our WAF detects a specific bot trying to attack your site using a brute force technique, it is blocked automatically. Similarly, the use of automated tools to scan your website are also blocked, helping to keep your website off attackers’ radar.
2FA, CAPTCHA, or passcodes
Add another layer of protection by enabling the Protected Page option. Specify the page you want to protect, and choose to enable two-factor authentication with Google Authenticator, use a CAPTCHA to stop bots, or add an extra static passcode.
Limit login attempts
Attackers know overusing a login form will draw suspicion through obvious patterns in server logs, built-in limitations, and alerts. A target can be pursued over months and even years with a limited number of requests at one time.
Allowlisting
Allowlisting makes certain that only authorized users can log in to your website. When adding your site to our firewall, we will give you the option of blocking access to specific pages. Only people with allowlisted IPs will be able to log in.
Country/geo blocking
Most brute-force attack attempts come from a handful of countries. If you aren’t doing business there, you can completely block all visitors from those IP ranges. We even have an option allowing you to block the top three attack countries by default.
Stop all brute force attacks
Using a combination of detection and allowlisting, the Sucuri Web Application Firewall (WAF) stops brute force attempts in their tracks. Rely on our WAF to protect any website against a number of different password cracking tools and brute force methods.
Get Started
