Mobile app version of vmapp.org
Login or Join
Gloria169

: How should a site respond to automated login attempts with phony usernames? For the last couple weeks I've been seeing a consistent stream of 15-30 invalid login attempts per hours on my site.

@Gloria169

Posted in: #AspNet #Authentication #Botattack #Logging #Security

For the last couple weeks I've been seeing a consistent stream of 15-30 invalid login attempts per hours on my site. Many of them are non-sensical usernames that nobody would ever register for real, and often contain typical spam-related keywords. They all come from different IP addresses so I can't just IP block/throttle the requests.

I'm not worried about unauthorized access to real accounts since they aren't using real usernames. And if it were a member of my site trying to brute force logins, they could easily scrape the valid usernames from the site, so I'm not worried about that kind of malicious behavior either. But what's the point of this type of activity? What would whichever bot operator is doing this have to gain by attempting all these logins?

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Gloria169

3 Comments

Sorted by latest first Latest Oldest Best

 

@Sent6035632

I see this type of behavior on my site as well. While it's tough to prove, I think it's just a bot crawling your site and filling in forms hoping that any submission they make could somehow be publicly viewable. The bots don't seem to be very smart in that they can't tell an account registration form from a blog comment form, so they just fill them all out.

If you see similar activity on other forms on your site, this very well could be what is happening to you. My suggestion would be to add a hidden captcha to your form. For example, add a textbox named "URL" (url fields are great spammer bait) that is hidden from human users through CSS (display:none). If this field is filled on on submit, you know that you can ignore it. There are many more methods of dealing with bots, but quite often, the simple things do the trick.

10% popularity Vote Up Vote Down


 

@Cody1181609

But what's the point of this type of
activity?


Your guess is as good as anyone's - perhaps the operator is mistakenly trying to access a set of spam accounts created elsewhere? (or ones which were supposed to be created at your site but failed for whatever reason)

Edit: ... speaking to your initial question:


How should a site respond to automated
login attempts with phony usernames?


It is not a good idea to inform potential attackers whether or not the account which they are attempting to log in to exists... otherwise, no special response is necessary (unless the volume of bad requests is impacting performance).

A typical "Invalid username or password" + "Please enter your e-mail address to begin the account retrieval process" form should be served up.

10% popularity Vote Up Vote Down


 

@Kristi941

Brute force works. Period. It doesn't mean they're going to compromise your site but if they try this on enough sites eventually they're going to get in somewhere. It's an unfortunate fact that many websites are poorly designed and/or built and attacks like this work. Basically it's the same principle spam. Spammers spam because it works. Even if only .01% of users respond when you send out millions of emails that suddenly becomes a lot of users and translates into a lot of money.

If there is any kind of pattern to the usernames or IPs obviously start to block those requests. Otherwise just have faith that your site is built well and isn't vulnerable to this kind of attack.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme