Abstract
To stymie password guessing attacks, many systems lock an account after a given number of failed authentication attempts, preventing access even if proper credentials are later provided. Combined with the proliferation of single sign-on providers, adversaries can use relatively few resources to launch large-scale application-level denial-of-service attacks against targeted user accounts by deliberately providing incorrect credentials across multiple authentication attempts. In this paper, we measure the extent to which this vulnerability exists in production systems. We focus on Microsoft services, which are used in many organizations, to identify exposed authentication points. We measure 2,066 organizations and found between 58% and 77% of organizations expose authentication portals that are vulnerable to account lockout attacks. Such attacks can be completely successful with only 13 KBytes/s of attack traffic. We then propose and evaluate a set of lockout bypass mechanisms for legitimate users. Our performance and security evaluation shows these solutions are effective while introducing little overhead to the network and systems.
Original language | English |
---|---|
Title of host publication | Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings |
Editors | Songqing Chen, Kim-Kwang Raymond Choo, Xinwen Fu, Wenjing Lou, Aziz Mohaisen |
Publisher | Springer |
Pages | 26-46 |
Number of pages | 21 |
ISBN (Print) | 9783030372309 |
DOIs | |
State | Published - 2019 |
Event | 15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019 - Orlando , United States Duration: Oct 23 2019 → Oct 25 2019 |
Publication series
Name | Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST |
---|---|
Volume | 305 LNICST |
ISSN (Print) | 1867-8211 |
Conference
Conference | 15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019 |
---|---|
Country/Territory | United States |
City | Orlando |
Period | 10/23/19 → 10/25/19 |
Funding
The authors would like to thank the anonymous organization for allowing us to test our account lockout approach on their infrastructure and for providing feedback on the effectiveness of the account lockout approach when targeting different authentication portals. This material is based upon work supported by the National Science Foundation under Grant No. 1651540.
Keywords
- Account lockout
- Denial-of-Service (DoS) attack
- Measurement
- Middleboxes
- Single Sign-On