Skip to main content
SpringerLink
Log in

Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2019)

Abstract

To stymie password guessing attacks, many systems lock an account after a given number of failed authentication attempts, preventing access even if proper credentials are later provided. Combined with the proliferation of single sign-on providers, adversaries can use relatively few resources to launch large-scale application-level denial-of-service attacks against targeted user accounts by deliberately providing incorrect credentials across multiple authentication attempts.

In this paper, we measure the extent to which this vulnerability exists in production systems. We focus on Microsoft services, which are used in many organizations, to identify exposed authentication points. We measure 2,066 organizations and found between 58% and 77% of organizations expose authentication portals that are vulnerable to account lockout attacks. Such attacks can be completely successful with only 13 KBytes/s of attack traffic. We then propose and evaluate a set of lockout bypass mechanisms for legitimate users. Our performance and security evaluation shows these solutions are effective while introducing little overhead to the network and systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. POP3 protocol client (2018). https://docs.python.org/3/library/poplib.html

  2. 800-63B, N.S.P.: Digital identity guidelines, authentication and lifecycle management (2018). https://pages.nist.gov/800-63-3/sp800-63b.html#throttle

  3. Alsaleh, M., Mannan, M., van Oorschot, P.C.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable Sec. Comput. 9(1), 128–141 (2012)

    Article  Google Scholar 

  4. Aura, T., Nikander, P., Leiwo, J.: DOS-resistant authentication with client puzzles. In: Christianson, B., Malcolm, J.A., Crispo, B., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 170–177. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44810-1_22

    Chapter  Google Scholar 

  5. Cheng, Y., Chu, J., Radhakrishnan, S., Jain, A.: TCP Fast Open (2014). https://tools.ietf.org/html/rfc7413

  6. Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: USENIX Security Symposium, vol. 42 (2001)

    Google Scholar 

  7. Dufresne, J.: Python-ldap on github (2017). https://github.com/python-ldap/python-ldap/blob/python-ldap-3.2.0/Doc/index.rst

  8. Durinovic-Johri, S., Wirth, P.E.: Access control system with lockout. US Patent 5,699,514 (1997)

    Google Scholar 

  9. Eriksson, B., Barford, P., Sommers, J., Nowak, R.: A learning-based approach for IP geolocation. In: Krishnamurthy, A., Plattner, B. (eds.) PAM 2010. LNCS, vol. 6032, pp. 171–180. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12334-4_18

    Chapter  Google Scholar 

  10. Ghasemisharif, M., Ramesh, A., Checkoway, S., Kanich, C., Polakis, J.: O single sign-off, where art thou? An empirical analysis of single sign-on account hijacking and session management on the web. In: USENIX Security Symposium, pp. 1475–1492 (2018)

    Google Scholar 

  11. Harvard University: Registrars of fortune 1000 companies - raw data. https://cyber.harvard.edu/archived_content/people/edelman/fortune-registrars/fortune-list.html

  12. Herley, C., Florêncio, D.: Protecting financial institutions from brute-force attacks. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) SEC 2008. ITIFIP, vol. 278, pp. 681–685. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-09699-5_45

    Chapter  Google Scholar 

  13. ickerwx: tcpproxy on github (2018). https://github.com/ickerwx/tcpproxy

  14. Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)

    Article  Google Scholar 

  15. Koh, J.Y., Ming, J.T.C., Niyato, D.: Rate limiting client puzzle schemes for denial-of-service mitigation. In: 2013 IEEE Wireless Communications and Networking Conference (WCNC), pp. 1848–1853. IEEE (2013)

    Google Scholar 

  16. Liu, Y., Taylor, C.R., Shue, C.A.: Authenticating endpoints and vetting connections in residential networks. In: International Conference on Computing, Networking and Communications (ICNC), pp. 136–140 (2019)

    Google Scholar 

  17. Margosis, A.: Security baselines for Windows 8.1, Windows server 2012 R2 and Internet Explorer 11 (2014). https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/

  18. Margosis, A.: Security baseline for Windows 10 (2018). https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/

  19. Microsoft: Autodiscover for exchange (2015). https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/autodiscover-for-exchange

  20. Microsoft Support: Changing the default interval for user tokens in IIS (2018). https://support.microsoft.com/en-us/help/152526/changing-the-default-interval-for-user-tokens-in-iis

  21. Microsoft Support: Office365 login page (2019). https://login.microsoftonline.com/

  22. MITRE Corporation: CWE-645: overly restrictive account lockout mechanism (2019). https://cwe.mitre.org/data/definitions/645.html

  23. Monica, A.D., Baldwin, M., Cai, S., Casey, C.: Thousands of apps, one identity (2016). https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/thousands-apps-one-identity

  24. Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. 24(2), 115–139 (2006)

    Article  Google Scholar 

  25. nyxgeek: Lyncsmash. https://github.com/nyxgeek/lyncsmash

  26. PCIPolicyPortal: PCI compliance password requirements: best practices to know (2015). http://pcipolicyportal.com/blog/pci-compliance-password-requirements-best-practices-know/

  27. Pope, C., Kaur, K.: Is it human or computer? Defending e-commerce with captchas. IT Prof. 7(2), 43–49 (2005)

    Article  Google Scholar 

  28. Pylon Technology News: Active directory in today’s regulatory environment (2014). https://pylontechnology.com/active-directory-todays-regulatory-environment/

  29. Rousskov, A.: Feature: SslBump peek and Splice (2019). https://wiki.squid-cache.org/Features/SslPeekAndSplice

  30. SANS Institute: Top 10 mistakes on windows internal networks (2003). https://www.sans.org/reading-room/whitepapers/windows/top-10-mistakes-windows-internal-networks-1016

  31. Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: network processing as a cloud service. ACM SIGCOMM Comput. Commun. Rev. 42(4), 13–24 (2012)

    Article  Google Scholar 

  32. Standford University: Alphabetic list of us universities and domains (1996). http://doors.stanford.edu/~sr/universities.html

  33. Taylor, C.R., Guo, T., Shue, C.A., Najd, M.E.: On the feasibility of cloud-based SDN controllers for residential networks. In: IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 1–6 (2017)

    Google Scholar 

  34. Taylor, C.R., Shue, C.A.: Validating security protocols with cloud-based middleboxes. In: IEEE Conference on Communications and Network Security, pp. 261–269 (2016)

    Google Scholar 

  35. Taylor, C.R., Shue, C.A., Najd, M.E.: Whole home proxies: bringing enterprise-grade security to residential networks. In: IEEE International Conference on Communications (ICC), pp. 1–6 (2016)

    Google Scholar 

  36. Wang, Y., Huang, Y., Zheng, W., Zhou, Z., Liu, D., Lu, M.: Combining convolutional neural network and self-adaptive algorithm to defeat synthetic multi-digit text-based CAPTCHA. In: IEEE International Conference on Industrial Technology (ICIT), pp. 980–985. IEEE (2017)

    Google Scholar 

  37. Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: ACM Conference on Computer and Communications Security (CCS), pp. 162–175. ACM (2010)

    Google Scholar 

  38. Witty, R.J., Allan, A.: Best practices in user ID formation (2003). https://www.bus.umich.edu/kresgepublic/journals/gartner/research/117900/117943/117943.html

  39. Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank the anonymous organization for allowing us to test our account lockout approach on their infrastructure and for providing feedback on the effectiveness of the account lockout approach when targeting different authentication portals.

This material is based upon work supported by the National Science Foundation under Grant No. 1651540.

Author information

Authors and Affiliations

  1. Worcester Polytechnic Institute, Worcester, MA, 10609, USA

    Yu Liu, Matthew R. Squires, Curtis R. Taylor, Robert J. Walls & Craig A. Shue

  2. Oak Ridge National Laboratory, Oak Ridge, TN, 37830, USA

    Curtis R. Taylor

Authors
  1. Yu Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Matthew R. Squires
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Curtis R. Taylor
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Robert J. Walls
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Craig A. Shue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Craig A. Shue .

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Songqing Chen

  2. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Boston University, Lowell, MA, USA

    Xinwen Fu

  4. Virginia Tech, Blacksburg, VA, USA

    Wenjing Lou

  5. University of Central Florida, Orlando, FL, USA

    Aziz Mohaisen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, Y., Squires, M.R., Taylor, C.R., Walls, R.J., Shue, C.A. (2019). Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 305. Springer, Cham. https://doi.org/10.1007/978-3-030-37231-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37231-6_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37230-9

  • Online ISBN: 978-3-030-37231-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation