It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Credential Attack Protection

  • Last updated on

The Advanced Bot Protection (ABP) feature provides protection against credential stuffing and credential spraying. The feature requires the purchase of an ABP license.

Credential Stuffing Protection

Credential stuffing is used to perform account takeover attacks through automated injection of breached username/password pairs. This method uses stolen email and password logins from other sources to gain unauthorized access to accounts. Attackers leverage large numbers of leaked credentials in an automated fashion against numerous websites, in an attempt to take over user accounts with credential reuse. The attacker acquires these spilled usernames and passwords from a website breach, and uses an account checker (such as SentryMBA) to test the stolen credentials against many websites. Successful logins allow the attacker to take over the account matching the stolen credentials.

The Barracuda ABP system uses a cloud-based database of breached credentials to validate incoming login requests. When a match for the incoming credentials is found, the Barracuda Web Application Firewall is configured to alert the admin and / or block such login requests.

The Barracuda Web Application Firewall does not transmit the complete username or password to the Barracuda ABP cloud for validation. The username/password is hashed, and only the first 16 characters of the hash is transmitted to the cloud for validation.

The BOT MITIGATION > Bot Mitigation page allows you to enable Credential Stuffing Protection.

  1. On the BOT MITIGATION > Bot Mitigation page, select Edit from the Options drop-down list for the desired Bot Mitigation policy.
  2. From the Authentication Type drop-down list, select the method that the web server should use to authenticate the login credentials for a web user.
    1. HTML Form - Web application uses a form to collect and authenticate user credentials. You also need to configure the username and password parameters written in the code of the HTML form.
    2. HTTP Basic Authentication - The username and password are transmitted in Base64 and stored on the server in plain text.
    3. JSON/AJAX Request - Web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. You also need to configure the name of the JSON element containing the username and password parameters.
  3. From the options available for Protection Type, choose Credential Stuffing Protection.

  4. Configure the following values:

    1. Username Parameter – Specifies the username field in the web page from which the actual username can be extracted by the Barracuda Web Application Firewall.
    2. Password Parameter– Specifies the password field in the web page from which the actual password can be extracted by the Barracuda Web Application Firewall.
  5. Click Save.

Credential Spraying Protection

In this type of protection, the Barracuda Web Application Firewall checks the incoming usernames and passwords independently on the databases. Since this is binded to the Brute Force Prevention feature, the Brute Force counter starts and identifies credential spraying attempts when either the username or the password matches the databases. However, if both the username and password match the databases, then the attack is detected immediately and a follow-up action is enforced.

  1. On the BOT MITIGATION > Bot Mitigation page, Select Edit from the Options drop-down list.for the desired bot mitigation policy.
  2. From the Authentication Type drop-down list, select the method that the web server should use to authenticate the login credentials for a web user.
  3. From the options available for Protection Type, choose Credential Spraying Protection.

  4. Click OK.
  5. Configure the following values:

    • Username Parameter – Specifies the name of the username parameter.
    • Password Parameter– Specifies the name of the password parameter.
    • Block Threshold - The maximum number of requests with credential spraying detections to be allowed for the time specified in "Count Window" (under the Brute Force Prevention Configuration), after which the requests will be blocked.
  6. Click Save.
  • It is recommended to mask the password field using the mask sensitive data feature.
  • It is recommended to enable Brute Force protection on the URL where credential stuffing is enabled.