IP address key in countering brute-force attacks

Verizon’s 2020 Data Breach Investigations Report shows that 80% of the breaches caused by hacking involve brute-force or the use of lost or stolen credentials. The content management systems (CMS) are the usual targets of brute-force attacks, as 39.3% of all the websites presumably run on WordPress, the most popular of these.

Cyber criminals choose to attack pages built on CMS because they usually have the same admin page URL across websites and the default login credentials are identical, making these pages a vulnerable target. However, developers and admins can mitigate the risk by reducing IP access to the admin site login page.

A brute-force attack (sometimes called brute-force cracking) is a method of trying various possible passwords until the right one is found. Despite being old, the method is still widely used by hackers, who attempt to gain access to a valid account. It allows bad actors to compromise the whole website and use it as a part of their network. With more people working remotely amid the pandemic, the brute-force attacks against remote desktop attacks via Windows’ Remote Desktop Protocol (RDP) soared. The number reached up to 100,000 attacks a day in the months of April and May 2020.

In the worst case scenario criminals can steal important data, such as passwords, passphrases, emails or personal identification numbers (PINs). They also use compromised websites for various fraud schemes, whereas pages themselves can get included in Google’s blacklist and become invisible in search results.

“Developers and admins can indicate the ongoing brute-force attack by looking at the failed authentications. If the same IP address unsuccessfully tries to login into various accounts or different IP addresses trying to access one account in a short period of time, is a clear sign of a data breach attempt. As IP address is one of the indicators of a cyber attack, it can also be a cure” says Juta Gurinaviciute, the Chief Technology Officer at NordVPN Teams. It is wise therefore to reduce the “surface area” and limit access to the login page, and it can conveniently be done by utilizing IP allowlist, blocklist and fixed IP techniques.

IP allowlist, previously known as whitelist, is a set of IP addresses that have access to a specific website. The developer can specify which IP addresses are allowed to reach an admin login page and perform actions there. It is also possible to indicate a range of IP addresses that can get authorized access. The latter solution is useful within bigger organizations or if numerous people require the access to the website.

However, the internet service providers (ISPs) may be changing IP addresses frequently and the allowlist may constantly become outdated. Therefore, this solution only works if there’s a pool of limited IP addresses in use or the changes take place within the specific range.

IP blocklist, also known as blacklist, is the exact opposite of the previously mentioned IP address directory, as it blocks access to the websites from the specified IP addresses. As it is hard to do manually, admins and developers may employ intrusion prevention frameworks, such as Fail2Ban. It automatically blocks IP addresses after a few unsuccessful authorization attempts.

On the other hand, website owners can block the particular IP addresses as well as the whole IP address range. If you notice that suspicious attacks from specific IP addresses persist, you should consider adding them to the blocklist. It can also be used for geoblocking as the IP address also carries the information about where the request was sent from.

The third solution to minimize the unauthorized access is the fixed IP method. As already mentioned, developers can limit availability of the login page to a set of trusted IP addresses. With fixed IP  they reduce the risk of IP sharing when a number of devices use the same IP address. This often leads to “bad neighbour effect”, as due to the deeds of other users, IP addresses end up in various block or spam lists. Fixed IP can be offered by both ISPs and VPN services, but the latter ensures browsing privacy as well.

Like this content? Sign up for the free PCR Daily Digest email service to get the latest tech news straight to your inbox. You can also follow PCR on Twitter and Facebook.