How to protect against credential stuffing on AWS

Credential Stuffing is an attack against a web application’s login mechanism. It is part of the Brute Force attacks outlined in the OWASP Top Ten. It is a major threat for the retail industry and gaming industry, but is not reserved to these industries alone. Credential Stuffing usually takes known username and passwords to carry out the attack, these are usually gained from data breaches, pastebin dumps, dark web e-commerce sites and more.

There are some very similar attack type’s that have the same impact as Credential Stuffing and this post will out line the application and infrastructure security mechanisms you should use to help prevent Credential Stuffing attacks. The focus of this post will be around AWS Cloud Hosting bu can apply across all over hosting platforms. It is also key to point out the separation of security approaches in order that the focus and implementation is carried out with the right people in the right layers.

Attack TypeDescription
Brute ForceTesting multiple passwords from dictionary or other source against a single account.
Credential StuffingTesting username/password pairs obtained from the breach of another site.
Password SprayingTesting a single weak password against a large number of different accounts.

Credential Stuffing attack can come from a manual user using 1 IP or can come from a group of attackers using many different IP’s and using bot’s. It is key that we are able to distinguish from an honest attempt from a user to login multiple and a malicious login attempt.

Single User IP Multiple Different Account Logins. This is usually the script kiddy or hacker n00b. These attacks are easy to detect and easy to defend and once implemented will usually deter the would be attacker off to a less secure site. Most attackers use the same automated open source free tools like Sentry MBA, Vortex and Account Hitman to carry out the attacks. All you need is a computer, internet link, malware tool and a data breach dump.

  • Elastic Load Balancer (Infrastructure Security Control)
  • AWS WAF (Infrastructure Security Control)
  • AWS CloudFront (Infrastructure Security Control)
  • AWS Shield (Infrastructure Security Control)
  • Multi Factor (Business Driven Option) (Application Security Control)
  • Capture (Application Security Control)
  • Block/BlackList IP (Application Security Control)
  • Rate Limit Header (Application Security Control)
  • Block Headless Browsers (Application Security Control)

Multiple IP’s Multiple Different Account Logins. This is not a script kiddie or n00b, take this attack seriously because the actors carrying out this attack are very serious. This multi layered attack usually comes from a group of attackers and sometimes from very sophisticated evasive techniques. To protect against this type of attack we must be prepared to go a lot deeper in our defences. The tools used to carry out these attacks are custom proxies, STORM, Black Bullet, Private Keeper, SNIPR, Sentry MBA, and WOXY, Account Hitman and more.

  • Elastic Load Balancer (Infrastructure Security Control)
  • Commercial WAF (F5) (Infrastructure Security Control)
  • AWS WAF (Infrastructure Security Control)
  • Honey Pot Redirection (Infrastructure Security Control)
  • AWS Cloud Front (Infrastructure Security Control)
  • AWS Sheild (Infrastructure Security Control)
  • AWS Route 53 (Infrastructure Security Control)
  • Capture (Application Security Control)
  • Two Step Login Process (Application Security Control)
  • Multi Factor (Business Driven Option) (Application Security Control)
  • Block/BlackList IP (Application Security Control)
  • Finger Print Client (Application Security Control)
  • Rate Limit Header (Application Security Control)
  • Rate Limit on Non residential ASN (Application Security Control)
  • Require JavaScript (Application Security Control)
  • Block Headless Browsers (Application Security Control)

In the above architecture we can see an AWS WAF service implemented. Upon detection of a known bad request the logs of this request would be filtered through various log services in order to update the WAF to block further attempts from this now known bad IP/IP Space automatically. We can see that the WAF service offers the following protection to help protect against Credential Stuffing and other related attacks:

  • Whitelist a rule to allow known good IP’s
  • Blacklist a rule to block known bad IP’s
  • SQL Injection a rule to block common patterns in the URI, query string, or body of a request containing SQL Injection.
  • XSS Injection a rule to block common patterns in the URI, query string, or body of a request containing XSS.
  • HTTP Flood detects for a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt
  • Scanner & Probes this component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time.
  • IP Reputation Lists this component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block.
  • Bad Bot this component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.
When Combining AWS Shield with AWS CloudFront and AWS WAF we get a comprehensive DDoS and Brute force Protection architecture, coupled with our application security controls and we now have a much more robust, dynamic and automated way to stop the various Brute force attacks, Password Spraying, Credential Stuffing and DDoS attacks.

Route 53: You can use Amazon Route 53 to configure DNS health checks to route traffic to healthy endpoints or to independently monitor the health of your application and its endpoints. Amazon Route 53 Traffic Flow makes it easy for you to manage traffic globally through a variety of routing types, including Latency Based Routing, Geo DNS, Geoproximity, and Weighted Round Robin—all of which can be combined with DNS Failover in order to enable a variety of low-latency, fault-tolerant architectures.

AWS Shield: Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency. There are two tiers of AWS Shield – Standard and Advanced.

AWS Cloud Front: Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS global infrastructure, as well as other AWS services. CloudFront works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the user experience. Lastly, if you use AWS origins such as Amazon S3, Amazon EC2 or Elastic Load Balancing, you don’t pay for any data transferred between these services and CloudFront.

AWS WAF: AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customisable web security rules.