Credential Stuffing Prevention With F5 ASM Brute Force Protection

Raise your hand if your login credentials have been stolen at some point in your internet life. I’m looking at you, EVERYBODY! 2.3 Billion credentials were stolen in 2017 alone, so if you’re on the internet, someone-somewhere has your credentials and has probably tried to use them somewhere. Nowadays, 80% – 90% of login traffic world-wide is solely from what are called, Credential Stuffing attacks. HSBC and Dunkin’ Donuts are just a couple of the more recent high-profile victims of this kind of brute-force attack. So what in the world is Credential Stuffing, and how can we protect our applications from it?

Credential Stuffing is a special kind of brute-force attack. Instead of spamming a login page with random passwords over and over again, the attackers use a script with a list of real-stolen credentials. They attempt to use every stolen username/password they have, on your login page. Somewhere around 70% of internet users use the same username and password for all their website logins. The idea is, if you can steal real credentials from an easy target (web forum, etc.), you might be able to use those credentials to log into something more important. Or should I say, more profitable. US banking loses about $4.6 million a day to credential stuffing, while the retail industry loses a whopping $16.5 million a day.

Blocking Credential Stuffing

The causes of credential spillage vary widely, but as far as Credential Stuffing goes, the BIG-IP can keep these “Stuffers” at bay with a few key features. You can configure the Application Security Manager (ASM) to use F5’s credential-stuffing database. The database contains a list of known-stolen credentials. It can then use this database to block the illegal login, send them to a CAPTCHA, send them JavaScript challenges to determine whether the client is a legal browser or not, or even fool them with a custom “honeypot” page.

Security > Application Security > Anomaly Detection > Brute Force Attack Prevention > Create

Credential Stuffing Configuration
ASM Brute Force Prevention Page

Don’t forget to apply the policy when you’re done.

Security > Event Logs > Application > Brute Force Attacks

Credential Stuffing Logging
Brute Force Event Logs

In the Access Policy Manager (APM), you can also configure the use of multi-factor and federation-based authentication for your applications.

You can’t control your users’ password discipline, but you can prevent their lack of discipline from compromising your apps.

Leave a Reply

Your email address will not be published. Required fields are marked *