[Last Call] Learn how to a build a cloud-first strategyRegister Now


Brute force attack questions

Posted on 2009-12-20
Medium Priority
Last Modified: 2012-06-21

This past weekend, my website went down. After putting my (outsourced) server admin company, they told me there had been a brute force attack, and that they blocked the IP that it originated from. My site is an asp.net one running on Windows Server.

I have a few questions, and please keep in mind I'm not a server maven when answering!

1. How does a brute force attack shut down a website? I understand ddos, but isn't a brute force attack just one ip trying many many user/password combos to try and get through to my server?

2. Are there any ways to protect a server from brute force attacks?

3. Where in my server can I see this attack? I.e. is there a log of all attempted logins?

Question by:Feivi99
LVL 10

Accepted Solution

lof earned 336 total points
ID: 26092330
Brute-force attack may cause same effects as DDOS and for the observer there won't be any difference as it lays mainly in attackers objectives. In DDOS attacker goal is to spawn more requests than a server may handle and in Brute-force the attacker tries to get pass the security by using brute force which may result in spawning more requests than the server may handle.

Burte-force is hardly ever a one IP and one host as it would take forever and would be to easy to block. Most likely you will see a whole botnet working on the case.

In regards to traces left on your server it all depends on the level of the attack. If you are running windows it might have been on any of the open protocols that support some kind of authentication, RDP, DC, SQL, IIS for example. But it could have been through one of your websites, CMS for example. Depending on what kind of attack it was, or rather what part of the system was attacked you may find some traces in various logs. Depending on log configuration and sensitivity you may not see anything.
LVL 21

Assisted Solution

farazhkhan earned 332 total points
ID: 26094168

To a hacker, anything that must be kept under lock and key is probably worth stealing. If your Web site (or a portion of it) requires a user to login and be authenticated, then the odds are good that a hacker has tried to break into it. In terms of processing power, it is expensive for a Web site to require authentication, so it is usually only required when the site stores valuable private information. Corporate intranet sites can contain confidential data such as project plans and customer lists. E-commerce sites often store users email addresses and credit card numbers. Bypassing or evading authentication in order to steal this data is clearly high on a hackers priority list, and todays hackers have a large library of authentication evasion techniques at their disposal.

The best way to prevent an hacker from being successful in a brute force attack is to use a very strong password policy, also may be this is not feasible in webhosting environment but if possible in case then you can enabling account lock out after 3 bad password attempts stops brute forcing in its tracks , set the account to either unlock automaticly after 60 mins or have it set so that only the admin can unlock it.
Also you should restricting the amount of login attempts that a user can perform and when you see multiple failed login attempts you should ban users IP and always keep a close eye on your log files for suspicious login attempts.

You can see this attack by all bad login attempts under Windows event log, for ASP those will be under application log, you can also get the IP from there(I have Attached an snap for you regarding an ASP site having brute force), for detailed information you can go through IIS logs.

Also this article is worth reading: http://www.wwwcoder.com/parentid/148/tabid/68/type/art/site/6488/default.aspx

Faraz H. Khan
LVL 17

Assisted Solution

Rovastar earned 332 total points
ID: 26095164
The explanation there are good so no need to go into nay more detail.

Just to add if you are worried about DDOS via brute force or any other method. For IIS7/WIndows 2008 there is a module to stop this that microsoft provide.

It is the dynamic ip restriction module in workable beta


Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

826 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question