IIS Module to Address Website Password Guessing
A common technique for *********** Testers is to gain access to an account via brute force (many passwords against one account) or password spraying (one password against many accounts). Websites are a great target since they often lack the logging/alerting of these techniques. To address this some implement 2-factor yet this still provides the necessary feedback because only a successful authentication attempt will proceed to the 2-factor prompt.
To address this I’ve create a PowerShell module which leverages Logparser to parse a website’s logs and identify such situations.
While it’s a suitable solution, the downside is it’s a reactionary detection mechanism limited by Task Scheduler and the frequency of writing the IIS request logs to disk. An automated process can submit a significant number of authentication requests in just one second. A better solution would be to have a Microsoft developed module dedicated to identifying these scenarios at the website level in realtime.
While there is ModSecurity, to say it has a steep learning curve is an understatement. Take for example the IP Address and Domain Restrictions module. All of that functionality can be addressed by ModSecurity however carving that logic out into the module provides a much easier interface resulting in increased adoption. This is what I’m suggesting for identifying these excessive failed logins.
Creation of a Microsoft developed module for IIS to identify:
1) brute force (many passwords against one account)
2) password spraying (one password against many accounts)
3) distributed (performing the above techniques from multiple IP addresses to subvert per-IP thresholds)
To address such events some ideas include:
1) reduce bandwidth
2) redirect request