Abstract
To stymie password guessing attacks, many systems lock an account after a given number of failed authentication attempts, preventing access even if proper credentials are later provided. Combined with the proliferation of single sign-on providers, adversaries can use relatively few resources to launch large-scale application-level denial-of-service attacks against targeted user accounts by deliberately providing incorrect credentials across multiple authentication attempts.
In this paper, we measure the extent to which this vulnerability exists in production systems. We focus on Microsoft services, which are used in many organizations, to identify exposed authentication points. We measure 2,066 organizations and found between 58% and 77% of organizations expose authentication portals that are vulnerable to account lockout attacks. Such attacks can be completely successful with only 13 KBytes/s of attack traffic. We then propose and evaluate a set of lockout bypass mechanisms for legitimate users. Our performance and security evaluation shows these solutions are effective while introducing little overhead to the network and systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
POP3 protocol client (2018). https://docs.python.org/3/library/poplib.html
800-63B, N.S.P.: Digital identity guidelines, authentication and lifecycle management (2018). https://pages.nist.gov/800-63-3/sp800-63b.html#throttle
Alsaleh, M., Mannan, M., van Oorschot, P.C.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable Sec. Comput. 9(1), 128–141 (2012)
Aura, T., Nikander, P., Leiwo, J.: DOS-resistant authentication with client puzzles. In: Christianson, B., Malcolm, J.A., Crispo, B., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 170–177. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44810-1_22
Cheng, Y., Chu, J., Radhakrishnan, S., Jain, A.: TCP Fast Open (2014). https://tools.ietf.org/html/rfc7413
Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: USENIX Security Symposium, vol. 42 (2001)
Dufresne, J.: Python-ldap on github (2017). https://github.com/python-ldap/python-ldap/blob/python-ldap-3.2.0/Doc/index.rst
Durinovic-Johri, S., Wirth, P.E.: Access control system with lockout. US Patent 5,699,514 (1997)
Eriksson, B., Barford, P., Sommers, J., Nowak, R.: A learning-based approach for IP geolocation. In: Krishnamurthy, A., Plattner, B. (eds.) PAM 2010. LNCS, vol. 6032, pp. 171–180. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12334-4_18
Ghasemisharif, M., Ramesh, A., Checkoway, S., Kanich, C., Polakis, J.: O single sign-off, where art thou? An empirical analysis of single sign-on account hijacking and session management on the web. In: USENIX Security Symposium, pp. 1475–1492 (2018)
Harvard University: Registrars of fortune 1000 companies - raw data. https://cyber.harvard.edu/archived_content/people/edelman/fortune-registrars/fortune-list.html
Herley, C., Florêncio, D.: Protecting financial institutions from brute-force attacks. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) SEC 2008. ITIFIP, vol. 278, pp. 681–685. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-09699-5_45
ickerwx: tcpproxy on github (2018). https://github.com/ickerwx/tcpproxy
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)
Koh, J.Y., Ming, J.T.C., Niyato, D.: Rate limiting client puzzle schemes for denial-of-service mitigation. In: 2013 IEEE Wireless Communications and Networking Conference (WCNC), pp. 1848–1853. IEEE (2013)
Liu, Y., Taylor, C.R., Shue, C.A.: Authenticating endpoints and vetting connections in residential networks. In: International Conference on Computing, Networking and Communications (ICNC), pp. 136–140 (2019)
Margosis, A.: Security baselines for Windows 8.1, Windows server 2012 R2 and Internet Explorer 11 (2014). https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/
Margosis, A.: Security baseline for Windows 10 (2018). https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/
Microsoft: Autodiscover for exchange (2015). https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/autodiscover-for-exchange
Microsoft Support: Changing the default interval for user tokens in IIS (2018). https://support.microsoft.com/en-us/help/152526/changing-the-default-interval-for-user-tokens-in-iis
Microsoft Support: Office365 login page (2019). https://login.microsoftonline.com/
MITRE Corporation: CWE-645: overly restrictive account lockout mechanism (2019). https://cwe.mitre.org/data/definitions/645.html
Monica, A.D., Baldwin, M., Cai, S., Casey, C.: Thousands of apps, one identity (2016). https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/thousands-apps-one-identity
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. 24(2), 115–139 (2006)
nyxgeek: Lyncsmash. https://github.com/nyxgeek/lyncsmash
PCIPolicyPortal: PCI compliance password requirements: best practices to know (2015). http://pcipolicyportal.com/blog/pci-compliance-password-requirements-best-practices-know/
Pope, C., Kaur, K.: Is it human or computer? Defending e-commerce with captchas. IT Prof. 7(2), 43–49 (2005)
Pylon Technology News: Active directory in today’s regulatory environment (2014). https://pylontechnology.com/active-directory-todays-regulatory-environment/
Rousskov, A.: Feature: SslBump peek and Splice (2019). https://wiki.squid-cache.org/Features/SslPeekAndSplice
SANS Institute: Top 10 mistakes on windows internal networks (2003). https://www.sans.org/reading-room/whitepapers/windows/top-10-mistakes-windows-internal-networks-1016
Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: network processing as a cloud service. ACM SIGCOMM Comput. Commun. Rev. 42(4), 13–24 (2012)
Standford University: Alphabetic list of us universities and domains (1996). http://doors.stanford.edu/~sr/universities.html
Taylor, C.R., Guo, T., Shue, C.A., Najd, M.E.: On the feasibility of cloud-based SDN controllers for residential networks. In: IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 1–6 (2017)
Taylor, C.R., Shue, C.A.: Validating security protocols with cloud-based middleboxes. In: IEEE Conference on Communications and Network Security, pp. 261–269 (2016)
Taylor, C.R., Shue, C.A., Najd, M.E.: Whole home proxies: bringing enterprise-grade security to residential networks. In: IEEE International Conference on Communications (ICC), pp. 1–6 (2016)
Wang, Y., Huang, Y., Zheng, W., Zhou, Z., Liu, D., Lu, M.: Combining convolutional neural network and self-adaptive algorithm to defeat synthetic multi-digit text-based CAPTCHA. In: IEEE International Conference on Industrial Technology (ICIT), pp. 980–985. IEEE (2017)
Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: ACM Conference on Computer and Communications Security (CCS), pp. 162–175. ACM (2010)
Witty, R.J., Allan, A.: Best practices in user ID formation (2003). https://www.bus.umich.edu/kresgepublic/journals/gartner/research/117900/117943/117943.html
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)
Acknowledgements
The authors would like to thank the anonymous organization for allowing us to test our account lockout approach on their infrastructure and for providing feedback on the effectiveness of the account lockout approach when targeting different authentication portals.
This material is based upon work supported by the National Science Foundation under Grant No. 1651540.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Liu, Y., Squires, M.R., Taylor, C.R., Walls, R.J., Shue, C.A. (2019). Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-37231-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37230-9
Online ISBN: 978-3-030-37231-6
eBook Packages: Computer ScienceComputer Science (R0)