Brute force attack questions

Hello,

This past weekend, my website went down. After putting my (outsourced) server admin company, they told me there had been a brute force attack, and that they blocked the IP that it originated from. My site is an asp.net one running on Windows Server.

I have a few questions, and please keep in mind I'm not a server maven when answering!

1. How does a brute force attack shut down a website? I understand ddos, but isn't a brute force attack just one ip trying many many user/password combos to try and get through to my server?

2. Are there any ways to protect a server from brute force attacks?

3. Where in my server can I see this attack? I.e. is there a log of all attempted logins?

Thanks
Feivi99Asked:
Who is Participating?
 
lofConnect With a Mentor Commented:
Brute-force attack may cause same effects as DDOS and for the observer there won't be any difference as it lays mainly in attackers objectives. In DDOS attacker goal is to spawn more requests than a server may handle and in Brute-force the attacker tries to get pass the security by using brute force which may result in spawning more requests than the server may handle.

Burte-force is hardly ever a one IP and one host as it would take forever and would be to easy to block. Most likely you will see a whole botnet working on the case.

In regards to traces left on your server it all depends on the level of the attack. If you are running windows it might have been on any of the open protocols that support some kind of authentication, RDP, DC, SQL, IIS for example. But it could have been through one of your websites, CMS for example. Depending on what kind of attack it was, or rather what part of the system was attacked you may find some traces in various logs. Depending on log configuration and sensitivity you may not see anything.
0
 
farazhkhanConnect With a Mentor Commented:
Hi,

To a hacker, anything that must be kept under lock and key is probably worth stealing. If your Web site (or a portion of it) requires a user to login and be authenticated, then the odds are good that a hacker has tried to break into it. In terms of processing power, it is expensive for a Web site to require authentication, so it is usually only required when the site stores valuable private information. Corporate intranet sites can contain confidential data such as project plans and customer lists. E-commerce sites often store users email addresses and credit card numbers. Bypassing or evading authentication in order to steal this data is clearly high on a hackers priority list, and todays hackers have a large library of authentication evasion techniques at their disposal.

The best way to prevent an hacker from being successful in a brute force attack is to use a very strong password policy, also may be this is not feasible in webhosting environment but if possible in case then you can enabling account lock out after 3 bad password attempts stops brute forcing in its tracks , set the account to either unlock automaticly after 60 mins or have it set so that only the admin can unlock it.
Also you should restricting the amount of login attempts that a user can perform and when you see multiple failed login attempts you should ban users IP and always keep a close eye on your log files for suspicious login attempts.

You can see this attack by all bad login attempts under Windows event log, for ASP those will be under application log, you can also get the IP from there(I have Attached an snap for you regarding an ASP site having brute force), for detailed information you can go through IIS logs.

Also this article is worth reading: http://www.wwwcoder.com/parentid/148/tabid/68/type/art/site/6488/default.aspx

Regards,
Faraz H. Khan
BruteForceAttackOnASP.JPG
0
 
RovastarConnect With a Mentor Commented:
The explanation there are good so no need to go into nay more detail.

Just to add if you are worried about DDOS via brute force or any other method. For IIS7/WIndows 2008 there is a module to stop this that microsoft provide.

It is the dynamic ip restriction module in workable beta

http://learn.iis.net/page.aspx/548/using-dynamic-ip-restrictions/
http://www.iis.net/expand/DynamicIPRestrictions
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.