Reducing the Risk of Brute Force attacks used to reveal Firebird User Passwords
-------------------------------------------------------------------------------
Key: CORE-5789
URL: http://tracker.firebirdsql.org/browse/CORE-5789
Project: Firebird Core
Issue Type: Improvement
Components: Security
Affects Versions: 3.0.3
Environment: All
Reporter: Tony Whyman
User authentication mechanisms such as SRP are already resistant to brute force
attacks where an attacker cycles through many different passwords in an attempt
to login to a user account. However, a brute force attack will always succeed
given a long enough period in which to sustain the attack. It is thus important
that attackers are given limited windows of opportunity in which to conduct a
brute force attack.
At present, it appears that Firebird allows a user an unlimited number of
failed login attempts and without reporting a possible brute force attack. The
only mitigation to brute force attacks appears to be an eight second delay
inserted after every fourth failed login (see src/remote/server/server.cpp in
the Firebird source tree). This still allows an attacker to cycle through 60/8
* 4 * 60 * 24 = 43200 failed logins per day. That is after only four days or so
an attacker could cycle through all 171,476 words in the Oxford English
Dictionary.
Given that Firebird does not enforce any rules for password selection, the
tendency for users to select common passwords, the availability of dictionaries
of well used passwords and the lack of any alert sent to a DBA to warn about an
attack, it probably will not take many days to break a Firebird user's password
and without anyone being aware that this has been done.
There is a need both to log failed login attempts, so that a System
Administrator is aware of a possible attack, and to rate limit login attempts
in order to frustrate the attacker.
http://tracker.firebirdsql.org/browse/CORE-5786 has reported the need to record
failed login attempts in a suitable log file.
Additionally, Firebird should also implement some form of advanced rate
limiting to restrict the rate of failed login attempts for a given user. This
might be by:
* Inserting a delay time between receiving a failed login request and reporting
the failure to the client.
* An exponential increase in the delay time for each successive failed login
between receiving a failed login request for a given user and reporting the
failure to the client.
* Rate limiting the total number of failed login attempts for each user from a
given remote system during a given period to a configurable number.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
