Brute force attack questions

Posted on 2009-12-20
Last Modified: 2012-06-21

This past weekend, my website went down. After putting my (outsourced) server admin company, they told me there had been a brute force attack, and that they blocked the IP that it originated from. My site is an one running on Windows Server.

I have a few questions, and please keep in mind I'm not a server maven when answering!

1. How does a brute force attack shut down a website? I understand ddos, but isn't a brute force attack just one ip trying many many user/password combos to try and get through to my server?

2. Are there any ways to protect a server from brute force attacks?

3. Where in my server can I see this attack? I.e. is there a log of all attempted logins?

Question by:Feivi99
    LVL 10

    Accepted Solution

    Brute-force attack may cause same effects as DDOS and for the observer there won't be any difference as it lays mainly in attackers objectives. In DDOS attacker goal is to spawn more requests than a server may handle and in Brute-force the attacker tries to get pass the security by using brute force which may result in spawning more requests than the server may handle.

    Burte-force is hardly ever a one IP and one host as it would take forever and would be to easy to block. Most likely you will see a whole botnet working on the case.

    In regards to traces left on your server it all depends on the level of the attack. If you are running windows it might have been on any of the open protocols that support some kind of authentication, RDP, DC, SQL, IIS for example. But it could have been through one of your websites, CMS for example. Depending on what kind of attack it was, or rather what part of the system was attacked you may find some traces in various logs. Depending on log configuration and sensitivity you may not see anything.
    LVL 21

    Assisted Solution


    To a hacker, anything that must be kept under lock and key is probably worth stealing. If your Web site (or a portion of it) requires a user to login and be authenticated, then the odds are good that a hacker has tried to break into it. In terms of processing power, it is expensive for a Web site to require authentication, so it is usually only required when the site stores valuable private information. Corporate intranet sites can contain confidential data such as project plans and customer lists. E-commerce sites often store users email addresses and credit card numbers. Bypassing or evading authentication in order to steal this data is clearly high on a hackers priority list, and todays hackers have a large library of authentication evasion techniques at their disposal.

    The best way to prevent an hacker from being successful in a brute force attack is to use a very strong password policy, also may be this is not feasible in webhosting environment but if possible in case then you can enabling account lock out after 3 bad password attempts stops brute forcing in its tracks , set the account to either unlock automaticly after 60 mins or have it set so that only the admin can unlock it.
    Also you should restricting the amount of login attempts that a user can perform and when you see multiple failed login attempts you should ban users IP and always keep a close eye on your log files for suspicious login attempts.

    You can see this attack by all bad login attempts under Windows event log, for ASP those will be under application log, you can also get the IP from there(I have Attached an snap for you regarding an ASP site having brute force), for detailed information you can go through IIS logs.

    Also this article is worth reading:

    Faraz H. Khan
    LVL 17

    Assisted Solution

    The explanation there are good so no need to go into nay more detail.

    Just to add if you are worried about DDOS via brute force or any other method. For IIS7/WIndows 2008 there is a module to stop this that microsoft provide.

    It is the dynamic ip restriction module in workable beta

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
    Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will walk an individual through the process of upgrading their existing Backup Exec 2012 to 2014. Either install the CD\DVD into the drive and let it auto-start, or browse to the drive and double-click the Browser file: Select the ap…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now