Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks

Yu Liu, Matthew R. Squires, Curtis R. Taylor, Robert J. Walls, Craig A. Shue

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

4 Scopus citations

Abstract

To stymie password guessing attacks, many systems lock an account after a given number of failed authentication attempts, preventing access even if proper credentials are later provided. Combined with the proliferation of single sign-on providers, adversaries can use relatively few resources to launch large-scale application-level denial-of-service attacks against targeted user accounts by deliberately providing incorrect credentials across multiple authentication attempts. In this paper, we measure the extent to which this vulnerability exists in production systems. We focus on Microsoft services, which are used in many organizations, to identify exposed authentication points. We measure 2,066 organizations and found between 58% and 77% of organizations expose authentication portals that are vulnerable to account lockout attacks. Such attacks can be completely successful with only 13 KBytes/s of attack traffic. We then propose and evaluate a set of lockout bypass mechanisms for legitimate users. Our performance and security evaluation shows these solutions are effective while introducing little overhead to the network and systems.

Original languageEnglish
Title of host publicationSecurity and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings
EditorsSongqing Chen, Kim-Kwang Raymond Choo, Xinwen Fu, Wenjing Lou, Aziz Mohaisen
PublisherSpringer
Pages26-46
Number of pages21
ISBN (Print)9783030372309
DOIs
StatePublished - 2019
Event15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019 - Orlando , United States
Duration: Oct 23 2019Oct 25 2019

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume305 LNICST
ISSN (Print)1867-8211

Conference

Conference15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019
Country/TerritoryUnited States
CityOrlando
Period10/23/1910/25/19

Funding

The authors would like to thank the anonymous organization for allowing us to test our account lockout approach on their infrastructure and for providing feedback on the effectiveness of the account lockout approach when targeting different authentication portals. This material is based upon work supported by the National Science Foundation under Grant No. 1651540.

Keywords

  • Account lockout
  • Denial-of-Service (DoS) attack
  • Measurement
  • Middleboxes
  • Single Sign-On

Fingerprint

Dive into the research topics of 'Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks'. Together they form a unique fingerprint.

Cite this