Friday, April 24, 2009

Complicate Brute Force Attacks in ASP.NET

Have you ever used a test program to simulate a Brute Force attack on your login screen? It's pretty vicious and cool at the same time.

On my login screens I've developed for public access I perform the following to help block any Brute Force attempt.

1. Implement Captcha technology after 3rd failed login attempt.
2. Lock account after fifth failed login attempt (optional).
3. Implement a random delay using System.Threading.Thread.Sleep on each failed login attempt.

Of couse, all of this may not be 100% attack proof, but is sure complicates things.

Below is some pseudocode I used to implement step 3 above:

...
//Sample function to validate user
if (fncValidateUser(ref mCN, txtUserID.Text.Trim(), txtPassword.Text.Trim()))
{
   ...
   Response.Redirect(strReturnURL, true);
   ...
}
else
{
   //Delay Request
   subDelayRequest();
   ...
}

//Randomly delay request, I use anywhere between 2 and 20 seconds.
private void subDelayRequest()
{
   System.Int32 minSeconds, maxSeconds;
   minSeconds = 2;
   maxSeconds = 20;
   Random rand = new Random();
   System.Threading.Thread.Sleep(rand.Next(minSeconds, maxSeconds) * 1000);
}

No comments:

Post a Comment

Swidget

You May Like This