E-commerce sites will always be a hot target for cyberattacks, they are treasure troves of personal and financial data. And for businesses of all sizes, the cost of a breach both in loss of data or customer trust can be hugely damaging. 

E-commerce business owners are all too aware of these issues and are increasing their security measures. The VMWare Carbon Black 2020 Cybersecurity Outlook Report found that 77% of businesses surveyed had purchased new security products in the last year and 69% had increased security staff. 

Most of the Wallarm e-commerce customers are running WAF protection with Brute-Force attacks protection functionality. That helps to address common cyber attackers’ techniques & secure smooth operation in peak hours & days. 

What is Brute-Force and DirBuster attack?

Brute-Force is a method of hacking accounts by guessing passwords for them. It is one of the most popular methods to crack passwords for accounts of websites.

The Brute-Force software generates password variations or uses lists and checks each one. Theoretically, it is always possible to find a password this way, but the time taken may not justify the goal. However, as the password length and difficulty grows, Brute-Force becomes inconvenient and much more time-consuming.

There are the following classes of Brute‑Force attacks:

  • Passwords Brute‑Forcing
  • Session identifiers Brute‑Forcing
  • Forced browsing (DirBuster)
  • Credentials stuffing

A directory traversal attack is a type of Brute-Force attack by which a hacker tries to get both an understanding of your website structure and potential access to files that have not been protected from public access. And Dirstalk, a modern alternative to outdated DirBuster, is a tool created to discover the existing files and directories, even the hidden ones, in a web server using pure Brute-Force.

How Wallarm handles Brute-Force attacks?

When Brute-Force protection is enabled, each time Wallarm’s WAF filtering node detects an excessive number of requests from a public IP,  this IP automatically gets blacklisted. Using the Trigger feature, it is possible to get notified each time an attack is detected or/and blocked. This feature allows Wallarm customers to define rules for protecting specific endpoints (URLs) from the excessive number of valid requests. However, there are some restrictions – Wallarm WAF analyzes only HTTP traffic for Brute‑Force attacks.

How Wallarm detects DirBuster attacks?

If a client IP address will exceed the number of HTTP 404 responses within the defined time window, it will be added to the blacklist. It is possible to configure the feature by two parameters: time window size (by default – 30 seconds) and a number of “File Not Found” HTTP responses (HTTP status code 404) returned by the protected web server during the time window (by default – 30 HTTP 404 errors).

How to enable DirBuster and Brute-Force protection in Wallarm?

The Brute-Force and DirBuster protection features are not enabled by default in Wallarm WAF, but if you need them – our technical support team will enable and configure them on demand.

Initially, the features are enabled in “monitoring” mode (even when the WAF is working in blocking mode) with default threshold settings of 30 requests in 30 seconds window.

To enable Brute-Force protection, the customer will need to provide some additional data:

  • URL to protect (like “https://www.myapp.com/v1/login”)
  • Time window (for example, 5 minutes)
  • Maximal number of valid requests allowed to hit the URL within the defined time window from a single IP address (for example, 10 requests)

The activation is performed in four steps:

  1. Initial activation in “monitoring” mode
  2. Review of generated alerts and fine-tuning of WAF configuration
  3. Activation of the features in blocking mode (with the help of technical support) and enablement of NGINX blacklist synchronization 
  4. Regular reviews of generated alerts for possible false positives and fine-tuning of WAF configuration

After activation, new attack labels – “Brute-Force” or “Forced Browsing” (the public term for DirBuster attacks) – will be displayed in the Wallarm UI console. Further, the customer should work with our technical support to fine-tune the configuration: analyze reported URLs and decide whether to increase blocking thresholds for mentioned URLs.

You can configure Wallarm WAF Triggers to set notifications & rules to address Brute-Force attacks following Triggers documentation step by step guide. 

When Brute-Force and DirBuster attack detection level satisfies the customer, the features can be enabled in blocking mode. It is still important to keep monitoring the UI console for the attacks to avoid blocking legitimate requests from increased customer traffic. Demo video is available here.