Brute Force Attacks
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack.
An attacker can always discover a password through a brute-force attack, but the downside is that it could take years to find it. Depending on the password's length and complexity, there could be trillions of possible combination. To speed things up a bit, a brute-force attack could start with dictionary words or slightly modified dictionary words because most people will use those rather than a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks. Brute-force attacks put user accounts at risk and flood your site with unnecessary traffic.
Hackers launch brute-force attacks using widely available tools that utilize wordlists and smart rule sets to intelligently and automatically guess user passwords. Although such attacks are easy to detect, they are not so easy to prevent. For example, many HTTP brute-force tools can relay requests through a list of open proxy servers. Since each request appears to come from a different IP address, you cannot block these attacks simply by blocking the IP address. To further complicate things, some tools try a different username and password on each attempt, so you cannot lock out a single account for failed password attempts.
* For advanced users who want to protect their accounts from attack, give them the option to allow login only from certain IP addresses.
* Assign unique login URLs to blocks of users so that not all users can access the site from the same URL.
* Use a CAPTCHA to prevent automated attacks (see the sidebar "Using CAPTCHAs").
* Instead of completely locking out an account, place it in a lockdown mode with limited capabilities.
Here are conditions that could indicate a brute-force attack or other account abuse:
* Many failed logins from the same IP address
* Logins with multiple usernames from the same IP address
* Logins for a single account coming from many different IP addresses
* Excessive usage and bandwidth consumption from a single use
* Failed login attempts from alphabetically sequential usernames or passwords
* Logins with a referring URL of someone's mail or IRC client
* If protecting an adult Web site, referring URLs of known password-sharing sites
* Logins with suspicious passwords hackers commonly use, such as ownsyou (ownzyou), washere (wazhere), zealots, hacksyou,)
*. Use Captcha when SQL_DML [data manipulation language] or CURD operations happens.
*. Check that captcha in server side, then response based on condition.