Credential Stuffing Causes Outages

It’s not hard for attackers to find poorly defended web logins. Many sites often have only a basic web application firewall (WAF), or nothing at all. Many WAFs do not detect or defend against credential stuffing at tacks. In general, WAFs are designed to block application attacks, malformed requests, and web exploits. But a credential stuffing attack looks like a legitimate web login; there will be many of them at once, and many with the incorrect passwords, so these things can look suspicious. This assumes that the defender is watching their failed login attempts and noting surges. The reality is that many victims often mistake a credential stuffing attack for a denial-of-service attack. The login pages then become overwhelmed with failed logins, and either the site crashes or customers can’t get in through the load. There have been cases of backend infrastructure failing under the heavy load of authentication requests.

Preliminary Credential Stuffing Mitigation Attempts

Once the victim organization detects the attack, it looks to stem the tide. The trick is to stop the attackers from logging in but not obstruct or inconvenience users and customers. Some basic defensive measures include inspecting and blocking the web session, which some WAFs can do. If the attack tool or bot uses plain web login requests, then the user agent (used by a web browser to advertise and identify itself to a web server) may be identified as irregular and blocked.

Another basic defense is using IP address denylists to block the known bad IP addresses. The denylist is often based on simple geographic origins, IP addresses from earlier attacks, or canned third-party reputation lists of known attackers. Another tool is rate limiting of login attempts, which unfortunately applies to both attackers and customers. This makes it hard to find the right balance.

The next step beyond this is to add a CAPTCHA test to the login process, which presents users with a simple puzzle. The idea is that bots can’t solve this puzzle but humans can, thus blocking the bots. The downside is that CAPTCHAs can annoy customers. In some cases, CAPTCHAs become a significant barrier for people with disabilities.¹

Attackers Always Retool

The cybercrime community already knows how to work around these simple defenses. In fact, attackers already have plenty of plugins, scripts, and utilities they can configure to evade antibot defenses. Cybercriminals upgrade and enhance their tools, often cribbing (or outright appropriating) penetration testing tools. Most of the time, the real work for attackers is configuring them for the specific victim’s website and modifying the scripts.

Attacker Evasion: Fake the Bot’s Originating Network

Anyone who has tried to use IP address denylists to stop credential stuffing knows that even if it works for a while, it won’t work for very long. Rarely do attackers use a stable, known set of bots. Once those bots are reputation filtered, they have plenty of other victimized computers and IoT devices for launching attacks. Bots often run on consumer Internet connections, which use dynamic IP addressing that continually changes addresses. Blocking based on geographic origin is also ineffective, as attackers use bots from around the world, not just their current location. Most credential stuffing attack tools have configuration options to load and use new lists of proxies, as shown in Figure 2.