HTTPDICT - Web Form Attack

Method description

This detection method is focused on detecting web login form dictionary attacks (or brute force attacks). A minimal number of attempts to log in from a single IP address is set by the MinimalPerClient parameter. Due to the possibility of some false positives caused by regular webpage updates (for example, using AJAX technology) is necessary to set the MinimalPageSize parameter as the minimal size of the page returned in case of an unsuccessful login attempt.

This method consists of the following submethod:

• SameSize: Reports the password-guessing attacks (dictionary or brute-force based) on the web login forms. It is based on a detection of a high number of the same-sized responses from the same server.

Method configuration

It is recommended to apply this method only on the web servers in the monitored network, possibly for all traffic on the network (to detect attacks from clients in the monitored network). The right place for traffic monitoring is the Internet connection line or the central switch.

Method parameters

• MinimalPerClient: Threshold for a minimal count of unsuccessful attempts to log in from a single IP address.

• MinimalPageSize: Minimal size of the web server response sent after an unsuccessful login attempt (in bytes).

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed. The filter defines the addresses of potential victims (web servers).

Interpretation of results

The method highlights the increased count of sending the same-sized file from the webserver to a single client. That probably means there is a dictionary attack on the web login form.