By Dusan Vitek, Director, Product Marketing, SecureAuth
SecureAuth is introducing a new attack detection engine – Dynamic IP Blocking. The new technology is the latest security innovation from SecureAuth, further strengthening the first line of defense to protect authentication endpoints.
Introduced in mid-2020, SecureAuth Dynamic IP Blocking temporarily blocks IP addresses used by bad actors to generate a password spraying attack against the platform. Similar to the principles used in a modern IDS/IPS Unified Threat Management system, Dynamic IP Blocking incorporates a proprietary pattern recognition algorithm to detect and mitigate attacks without user or admin intervention.
A First Line of Defense Against Attacks
Password spraying is a low-speed and particularly dangerous password attack method often performed against single sign-on (SSO) and cloud-based authentication portals. You can think of password spraying as a reverse brute-force attack. Bad actors use a unique password against a myriad of user account names hoping to breach that single account.
In a brute-force password attack, the malicious hacker rapidly progresses through a combination of a single username paired with dozens of potential common passwords with the hope of compromising the account. In the password spraying attack, the hacker tries thousands of usernames with the same password before moving on to a second password.
The danger of the password spraying attack lies in the fact that the attack is slow against each individual username with long delays between each login attempt. Therefore, the hacker can avoid triggering the failed login attempt detection (also known as SecureAuth Password Throttling) and run the attack undetected.
SecureAuth Dynamic IP Blocking technology prevents the originating IP address from submitting requests after a specified number of failed login attempts using different usernames within a specified period of time. Instead of locking user accounts, it blocks login attempts coming from the IP address.
It’s worth noting that Dynamic IP Blocking works for both legacy clients (installable software using WS-Trust) and modern clients such as web apps using SAML.
How to Configure Dynamic IP Blocking
To use Dynamic IP Blocking, go to your SecureAuth Identity Platform Administration Console. First, set the length of time to block the IP address after a set number of failed attempts. Your setting will apply to login workflows in all policies. Then, you add the Dynamic IP Blocking rule in each policy.
You can add allowed IP addresses that apply to all policies and in a specific policy. IP addressed added to this list will never be blocked, no matter how many failed attempts occur.
- On the left side of the Identity Platform page, click IP Filtering. Note that the settings you define here apply to all policies.
- Set the length of time to block associated IP addresses after a specified number of failed login attempts. (The numbers in the line after the Block button are clickable links.)
- Length of time – 12, 24, 36, 48, or 72 hours
- Number of failed login attempts – 5,10, 15, 20, and 25
- To allow certain IP addresses, click Set IP addresses link and enter IP addresses, separated by a comma. Note: IP addresses can only be in IPv4 format.
- Next, open a policy and go to the Blocking Rules tab and add Dynamic IP Blocking as a new rule.
Dynamic IP Blocking is included in select SecureAuth SaaS subscription plans. Dynamic IP Blocking is shipping with the SecureAuth virtual appliances version 20.06 and later for hybrid cloud deployments.