Inducing Account Lockout
Attack Pattern ID: 2 (Standard Attack Pattern Completeness: Complete)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.

Attack Execution Flow

Experiment
  1. Investigate account lockout behavior of system:

    Investigate the security features present in the system that may trigger an account lockout

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Analyze system documentation to find list of events that could potentially cause account lockout

    env-Web env-ClientServer env-Local env-Embedded
    2

    Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly

    env-Web env-ClientServer env-Local env-Embedded
    3

    Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.

    env-Web env-ClientServer env-Local env-Embedded

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    System provides error message stating that account being attacked is locked out.

    env-Web env-ClientServer env-Local env-Embedded
    2Positive

    After a certain number of login attempts with a given user ID, the amount of time it takes for system to respond to further login attempts changes noticably.

    env-Web env-ClientServer env-Local env-Embedded
    3Negative

    System has no automatic signup mechanism, and system provides no indication as to whether the attacker is entering incorrect credentials or the account is locked out during the login process.

    env-Web env-ClientServer env-Local env-Embedded

    Outcomes

    IDtypeOutcome Description
    1Success
    Attacker determines at least one way to lock out accounts.
    2Failure
    System provides no indication that account lockouts are possible

    Security Controls

    IDtypeSecurity Control Description
    1Detective
    Repeated failed login attempts in application/system logs.
    2Preventative
    Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails.
  2. Obtain list of user accounts to lock out:

    Generate a list of valid user accounts to lock out

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Obtain list of authorized users using another attack pattern, such as SQL Injection.

    env-Web env-ClientServer env-Local env-Embedded
    2

    Attempt to create accounts if possible; system should indicate if a user ID is already taken.

    env-Web env-ClientServer env-Local env-Embedded
    3

    Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.

    env-Web env-ClientServer env-Local env-Embedded

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    System indicates which user IDs are valid and which are not to unauthenticated users.

    env-Web env-ClientServer env-Local env-Embedded

    Outcomes

    IDtypeOutcome Description
    1Success
    Attacker gathers list of user IDs
    2Inconclusive
    Attacker is unable to gather list of valid user IDs; attacker may still be able to lock out accounts by blindly guessing user IDs and performing a lockout procedure with each one.

    Security Controls

    IDtypeSecurity Control Description
    1Preventative
    Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails.
Exploit
  1. Lock Out Accounts:

    Perform lockout procedure for all accounts that the attacker wants to lock out.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    For each user ID to be locked out, perform the lockout procedure discovered in the first step.

    env-Web env-ClientServer env-Local env-Embedded

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    Success outcome in first step

    env-Web env-ClientServer env-Local env-Embedded
    2Negative

    Failure outcome in first step

    env-Web env-ClientServer env-Local env-Embedded

    Outcomes

    IDtypeOutcome Description
    1Success
    Amount of work required by an attacker to lock out a large number of accounts is at least an order of magnitude smaller than the amount of work required to unlock the accounts thereafter.
    2Failure
    The large amount of work required by an attacker to lock out a large number of accounts makes this an unattractive attack.
+ Attack Prerequisites

The system has a lockout mechanism.

An attacker must be able to reproduce behavior that would result in an account being locked.

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • API Abuse
  • Flooding
  • Brute Force
+ Examples-Instances

Description

A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

+ Resources Required

Computer with access to the login portion of the target system

+ Solutions and Mitigations

Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.

When implementing security features, consider how they can be misused and made to turn on themselves.

+ Attack Motivation-Consequences
  • Denial of Service
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
400Uncontrolled Resource Consumption ('Resource Exhaustion')Secondary
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory212Functionality Misuse 
Mechanism of Attack (primary)1000
+ Content History
Submissions
SubmitterOrganizationDate
Eugene LebanidzeCigital, Inc2007-02-26
Modifications
ModifierOrganizationDateComments
Sean BarnumCigital, Inc2007-03-01Review and revision of content
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Name, Description and Solutions
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Amit SethiCigital, Inc.2007-10-29Added extended Attack Execution Flow