This article will provide a very simple way to prevent brute force attacks in ASP.NET for whatever authentication method you so choose. Brute force attacks are when a program will keep feeding usernames and passwords into your login page and hopefully get the right one after thousands and thousands of tries. I will show you a way to hopefully prevent this, or at least slow it down so it persuades the attacker to hopefully leave your site and move on to the next one.
First off please always remember to throw a generic message when the username or password is incorrect. For example a generic error message would be “Incorrect username or password”. Please do not say “incorrect username” if the password is right and the username is wrong. Vice versa for the password being correct. This way the attacker doesn’t know what is right or wrong.
So the method I follow for avoiding this is to sleep the thread on the page if the username or password is incorrect. I actually sleep the thread anywhere from 2 to 20 seconds. This means that if the credentials are incorrect it will not respond for 2 to 20 seconds. It may not seems like a lot, but when a program is trying to feed credentials into the login page…it will have to wait that long to try another one. This will drastically increase the time the program doing the brute force has to go through. In addition, making the seconds random will also help a bit too.
Now my example is the following scenario.
1. A CAPTCHA on the web page
2. Simple username and password text box with customer membership provider
Below is some sample code that is used to check the username and password and also to sleep the thread if it either one is incorrect. This code does not include the code to check the CAPTCHA
aryCreds just actually stores the username and role...that's about it.
protected void lnkBtnLogin_Click(object sender, EventArgs e)
{
ArrayList aryCreds = new ArrayList();
if (users.checkUserAuth(txtUserName.Text, txtPassword.Text))
{
aryCreds = users.getUserCreds(txtUserName.Text);
Session.Add("aryCreds", aryCreds);
Response.Redirect("menu.aspx");
}
else
{
this.delayRequest();
txtUserName.Text = null;
txtPassword.Text = null;
string error = common.ErrorMessage("Incorrect Username or Password");
this.Page.Controls.Add(new LiteralControl(error));
}
}
private void delayRequest()
{
int minSeconds, maxSeconds;
minSeconds = 2;
maxSeconds = 20;
Random rand = new Random();
System.Threading.Thread.Sleep(rand.Next(minSeconds, maxSeconds) * 1000);
}
Notice the delayRequest method. This is getting called if the checkUserAuth method does not return true.
Also you'll notice the
Random rand = new Random();
System.Threading.Thread.Sleep(rand.Next(minSeconds, maxSeconds) * 1000);
This is what actually makes the page delay the error message.
Well I hope this has helped some people out there on a way that can help make their page a bit more protected against attackers for a login scenario.
1905e25a-c7cd-438b-9592-598c6ee26772|0|.0
ASP.NET