Why Botnets Work: Distributed Brute-Force Attacks Need No Synchronization

In September 2017, the McAfee Labs quarterly report estimated that brute-force attacks represent 20% of total network attacks, making them the most prevalent type of attack ex-aequo with browser-based vulnerabilities. These attacks have sometimes catastrophic consequences, and understanding their fundamental limits may play an important role in the risk assessment of password-secured systems and in the design of better security protocols. While some solutions exist to prevent online brute-force attacks that arise from one single IP address, attacks performed by botnets are more challenging. In this paper, we analyze these distributed attacks by using a simplified model. Our aim is to understand the impact of distribution and asynchronization on the overall computational effort necessary to breach a system. Our result is based on guesswork, a measure of the number of queries (guesses) before a correct sequence, such as a password, is found in an optimal attack. Guesswork is a direct surrogate for time and computational effort of guessing a sequence from a set of sequences with the associated likelihoods. We model the lack of synchronization by a worst-case optimization in which the queries made by multiple adversarial agents are received in the worst possible order for the adversary, resulting in a min–max formulation. We show that, even without synchronization, and for sequences of growing length, the asymptotic optimal performance is achievable by using randomized guesses drawn from an appropriate distribution. Therefore, randomization is key for the distributed asynchronous attacks. In other words, asynchronous guessers can asymptotically perform brute-force attacks as efficiently as synchronized guessers.

[1]  Amos Lapidoth,et al.  Guessing Attacks on Distributed-Storage Systems , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[2]  Neri Merhav,et al.  Achievable Error Exponents for the Private Fingerprinting Game , 2007, IEEE Transactions on Information Theory.

[3]  Ken R. Duffy,et al.  Multi-User Guesswork and Brute Force Security , 2015, IEEE Transactions on Information Theory.

[4]  A. Robert Calderbank,et al.  A geometric perspective on guesswork , 2015, 2015 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[5]  Radia J. Perlman,et al.  Network layer protocols with Byzantine robustness , 1988 .

[6]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[7]  Neri Merhav,et al.  The Shannon cipher system with a guessing wiretapper , 1999, IEEE Trans. Inf. Theory.

[8]  Rajesh Sundaresan,et al.  Guessing Under Source Uncertainty , 2006, IEEE Transactions on Information Theory.

[9]  Oliver Kosut,et al.  Asymptotics and Non-Asymptotics for Universal Fixed-to-Variable Source Coding , 2014, IEEE Transactions on Information Theory.

[10]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[11]  Serdar Boztas On Renyi Entropies and Their Applications to Guessing Attacks in Cryptography , 2014, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[12]  Muriel Médard,et al.  Centralized vs decentralized multi-agent guesswork , 2017, 2017 IEEE International Symposium on Information Theory (ISIT).

[13]  Kjell Jørgen Hole,et al.  Case study: online banking security , 2006, IEEE Security & Privacy.

[14]  Erdal Arikan An inequality on guessing and its application to sequential decoding , 1996, IEEE Trans. Inf. Theory.

[15]  Ken R. Duffy,et al.  Guesswork, Large Deviations, and Shannon Entropy , 2012, IEEE Transactions on Information Theory.

[16]  Serdar Boztas,et al.  Comments on 'An inequality on guessing and its application to sequential decoding' , 1997, IEEE Trans. Inf. Theory.

[17]  Ping Wang,et al.  On the Implications of Zipf's Law in Passwords , 2016, ESORICS.

[18]  Ken R. Duffy,et al.  A Characterization of Guesswork on Swiftly Tilting Curves , 2018, IEEE Transactions on Information Theory.

[19]  Ping Wang,et al.  Zipf’s Law in Passwords , 2017, IEEE Transactions on Information Forensics and Security.

[20]  David Malone,et al.  Guesswork and entropy , 2004, IEEE Transactions on Information Theory.

[21]  Neri Merhav,et al.  Guessing Subject to Distortion , 1998, IEEE Trans. Inf. Theory.

[22]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[23]  C. E. Pfister,et al.  Renyi entropy, guesswork moments, and large deviations , 2004, IEEE Transactions on Information Theory.

[24]  Ken R. Duffy,et al.  Guesswork subject to a total entropy budget , 2017, 2017 55th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[25]  Jeanna Neefe Matthews,et al.  A Study of Passwords and Methods Used in Brute-Force SSH Attacks , 2008 .

[26]  Ken R. Duffy,et al.  Guessing a password over a wireless channel (on the effect of noise non-uniformity) , 2013, 2013 Asilomar Conference on Signals, Systems and Computers.

[27]  L. L. Campbell,et al.  A Coding Theorem and Rényi's Entropy , 1965, Inf. Control..

[28]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[30]  Muriel Médard,et al.  Guessing with limited memory , 2017, 2017 IEEE International Symposium on Information Theory (ISIT).

[31]  Serdar Boztas Oblivious distributed guessing , 2012, 2012 IEEE International Symposium on Information Theory Proceedings.

[32]  Anselm Blumer,et al.  The Rényi redundancy of generalized Huffman codes , 1988, IEEE Trans. Inf. Theory.

[33]  Samson Zhou,et al.  On the Economics of Offline Password Cracking , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[34]  A. Robert Calderbank,et al.  Quantifying computational security subject to source constraints, guesswork and inscrutability , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[35]  Rajesh Sundaresan,et al.  Guessing Revisited: A Large Deviations Approach , 2010, IEEE Transactions on Information Theory.

[36]  Ping Wang,et al.  A Security Analysis of Honeywords , 2018, NDSS.