1. Principle and harm of collision storage
“Credential Stuffing Attack” is an old concept in cyber security. It literally means “crash database” in Chinese. “Collision” means chance, that is, not necessarily success; And the “database” often stores a large amount of sensitive data, such as the user name and password we need to log in to a website, such as mobile phone number, ID number and other personal privacy information. “Credential Stuffing” is described in English as the main scenario of a bank crash: trying to get the right account/password combination, which is called “stealing numbers” in plain English.
Reality hit library of attacks mainly attacker by some automation tools (such as script) for related to bump into library site interface (such as login interface) batch submit a large number of user name/password combination, the combination of the record which can be a successful login and steal the account, for the next do other bad things (such as to leave the money in bank accounts, Or selling virtual goods from your game account, or stealing someone’s identity to make a speech, etc.) Be prepared.
It is worth noting that there are two purposes of collision database: 1. Number theft is not the only purpose of collision database attack; 2. Verifying whether an account has been registered in a site is also a common purpose of collision database.
For example, for login failures, many sites will give a clear difference between “user does not exist” and “password error,” which means I can tell if your mobile phone number is registered with the site even if I don’t know your password. What’s the use of knowing that? Taking the P2P industry as an example, if a mobile phone number has been registered on dozens of lending platforms, the owner of the mobile phone number is probably in bad financial condition (long loan), and the risk of lending to him is very high.
From the purpose of attack, there are the following common scenarios:
- Weak password sniffing: similar to 111111, 123456 such simple password because many people use, with such weak password to test a large number of accounts, there is a certain probability to find some really in the use of weak password accounts. Such attacks generally require that attackers have mastered a large number of accounts and common weak password library. Of course, if they do not know the accounts, it is possible to construct some random accounts, such as mobile phone numbers with fixed formats.
- Use drag database data: This is a way of higher attack success rate, the principle is that most people tend to use the same password on multiple sites (how many people taobao and Alipay password is the same?). . When an attacker successfully breaks into A weak site A, takes all of the username and password combinations from its database, and then tries site B with those combinations, if you are registered for both sites and use the same password… We hit the bunker.
- Brute-force cracking for high-privilege accounts: Brute-force cracking is technically a different type of attack than crash library, but we should mention it anyway because both are similar in terms of attack methods and protection methods. This is mainly aimed at some high authority accounts (such as the administrator of the website) with a large number of passwords to explore, want to steal the account target is very clear.
Cloud on the common case of collision
Understand the principle, hit the harm of the library attack is very clear. For individual users, this can lead to compromised passwords and stolen accounts, which can lead to loss of property or reputation. For enterprises, it will not only cause the disclosure of customer information and other trade secrets, but also cause serious damage to the reputation and image of enterprises.
2. Current situation of warehouse attack
Is the crash bay far from us? What is the actual situation? According to our analysis of Aliyun WAF traffic, sharing the following data, it is not difficult to see that the database attack has been accompanied by us day and night, and has been extremely large-scale and professional.
- The number is 1:500,000
This is the number of CLUSTERED IP addresses that we clearly observed every day for collision pool attacks. Considering that there are still quite a number of discrete IP resources such as dial-by-second in attack scenarios that have not been counted, the actual number of IP addresses involved in collision pool attacks every day is estimated to be 1-2 orders of magnitude larger. In addition, it is worth noting that a large number of attack source IP addresses have aggregation in segment C. As we observed, more than 200 IP addresses in more than 200 segments C (256 consecutive IP addresses in total) carry out collision attacks every day.
- Number 2:448 million
The 448 million bump/brute force requests detected daily in cloud WAF traffic are just daily figures, which shows how popular the bump attack has become with hackers.
- Number 3:630 thousand times
This is the total number of hits on a site in one day.
In fact, we observed that in some “popular industries”, such as P2P, games, blockchain, credit cards, e-commerce, etc., database attacks have been continuing on a very large scale, which may last for months or even years, accompanied by business. However, in some unexpected industries (such as medusa, it is a guess that the attack intention may be to provide more accurate reference for medUsa advertisements by verifying whether you have registered on medUsa websites), large-scale warehouse collisions have also been found.
- The number is 4:83 percent
From the perspective of attack tools to implement collision attacks, more than 83% of attack traffic comes from simple scripts. “Simple scripts” here are defined as some scripting tools that can be detected through the simplest man-machine identification methods (such as JS verification). Of these, Java Tools and Python Requests are the “most present” scripting Tools.
But it is worth noting that in recent years, with the rapid development of the crawler technology and related industries, “regulars” has become more and more large proportion, these groups holds a large number of attacks on resources and the latest crawler technology, the whole industry chain upstream and downstream fine division of labor, coordination is fluent, the difficulty of ordinary enterprise defense up is also rising rapidly.
3. Compliance risks brought by warehouse collisions
Since the EU privacy Law GDPR came into effect, regulators around the world have attached great importance to data protection, and penalties and consequences for leaks have been on the rise since 2019. According to Article 4 of the GDPR, a personal data breach is “the accidental or illegal destruction, loss, alteration, or disclosure or access of personal data in transmission, storage, or processing as a result of a breach of security policy.”
Therefore, even if the leaked data is used to carry out a crash attack, but the enterprise’s own security protection work fails to avoid unauthorized access, it is also a violation. America’s Health Insurance Portability and Accountability Act (HIPAA) also stipulates that “the acquisition, access, use or disclosure of personal medical information in a manner not permitted by HIPAA privacy rules amounts to a breach of security or privacy.” Even if the illegally accessed data is encrypted, the system and data are subject to unauthorized attacks and therefore are not disclosed under HIPAA privacy rules. The companies hit by the crash are the victims, but each victim is a part of the snowball effect due to inadequate safety control.
In the summer of 2019, credit rating firm Moody’s made a new adjustment to the business impact of cybersecurity, adding cyber risk to its credit ratings. Moody’s downgraded listed companies from stable to negative based on the business impact of violations. Moody’s is actively adding cyber risk to its credit rating, which could be just the first domino to fall. Credit rating has a wide impact on the risk assessment and investment decisions investors take into account when choosing investment targets. For public companies, rethink their cybersecurity and compliance approaches, especially as regulations become more difficult to comply with. Not only that, specific industries, will also face more different penalties.
With the explosive growth of iot devices in recent years, coupled with the proliferation of public clouds, containers, and VMS, there has been a general lack of visibility into data traffic that has greatly increased the overall threat face and corporate vulnerabilities. With the increase of data leakage events, database attack has become a common method of intrusion in recent years. Each breach could be the key to the next.
4. How to prevent collision attacks?
1) Personal
From the perspective of individual users’ self-protection, we offer four suggestions:
- ** Try to avoid using the same password for different websites. ** Of course, there is a natural conflict between human laziness and the security of password mechanisms, which is difficult for most people to do. According to third-party statistics, more than 60% of people still use the same password on multiple sites.
- ** Use more complex passwords. ** Please stop using 123456, 111111…
- ** Change common passwords periodically. Hackers often have massive “social worker libraries” of known username-password combinations, including ones you used on a site years ago. Therefore, changing passwords frequently can reduce the validity of social worker database information.
- ** Enable more authentication mechanisms than passwords. ** In fact, many enterprises with good security have adopted some best practices such as secondary authentication and multi-factor authentication, such as Apple’s secondary authentication, Google’s authenticator, Alipay’s face recognition, wechat’s voice print, etc. It is recommended that individual users open similar authentication mechanisms as far as possible.
Top 500 Most commonly used passwords (from Informationisbeautiful)
2) Enterprise
From the perspective of enterprises, account security is very important and basic work, because the account is to a large extent the cornerstone of the business security system, account security once lost, will only bring more problems, the cost to remedy these problems is far greater than the account security protection itself. Of course, account security itself is a very complex system engineering, here we just give some best practices for the scenario of database collision for reference:
- Enforce user password strength.
Many sites do this well, but there are plenty of apps that allow users to use weak passwords like 111111. At the same time, pay special attention not to ignore the registration interface of applets, APPS and other non-web environments.
- Periodically force users to change their passwords.
This is mainly for internal employees, after all, remembering a password is already a pain, and the user experience will plummet.
- Strengthen man-machine prevention and control strategies in account-related interfaces.
The interfaces here mainly include login, registration, password retrieval, SMS verification code acquisition, etc. “Man-machine prevention and control” refers to the difference between the access request of the “machine” in these interfaces and that of the “real person”. As we have said at the beginning of this article, in real cases, there is almost no manual attack by attackers. Being able to identify and intercept most of the “machine traffic” directed at accounts would be a significant improvement in security levels. In terms of technical means, graphic verification code is commonly used, IP/ sessions with high-frequency requests are blocked, and SDK components for human-machine recognition are deployed, etc. However, the adoption of graphic verification code and other methods has the problem of poor user experience and cracking.
- Secondary validation is used for important business processes.
For example, face recognition, fingerprint and voice print, SMS/email verification code, and verification of the last digit of id card can be used to confirm that the current operation is from the account owner.
- Set up account abnormal indicator monitoring of business dimension, and deal with risk account timely.
Different from the “man-machine” technical means, here mainly from the business perspective (such as high-frequency Posting, abnormal transfer, etc.), some abnormal accounts are monitored and punished, as a supplement to technical prevention and control.
- Use security tools to do a crash – proof warehouse attack.
If you are troubled by account security problems such as database collision and do not have enough professional team or energy to fight according to the above suggestions, it is recommended to choose an appropriate security tool to deal with them. In general,Xinxin technology anti-collision warehouse firewall productsYou can effectively respond to a crash attack, and truly feel nothing. Its built-in crash database, SMS anti-bombing and other AI models, in response to account registration, login, password retrieval and other scenarios, to achieve real-time protection, risk market can be viewed in real time, attack and defense situation is mastered. From this point of view, for enterprises, choosing a powerful security tool with rich functions can often get twice the result with half the effort.
5. Conclusion
There are rivers and lakes where there are people, and there are hit libraries where there are accounts. The password system itself is born for the security needs, but it also brings the risk of database collision. We believe that passwords will increasingly be replaced by better and more secure authentication methods, which may have privacy and compliance issues. The best solution always seems to strike a balance between security, convenience and privacy. At present, the form of user name/password is still dominant in the account management of the vast majority of sites, so the account security issues represented by database attacks still need to be paid enough attention to by individual users and enterprises. I hope this article can give you some reference and help to build a safer Internet together!