[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Owen DeLong owen at delong.com
Fri Feb 26 14:50:08 EST 2021 

Has ARIN considered exponential time locking access from IPs generating excessive authentication failures?

(e.g. if an IP address sources 10 authentication errors in an hour, block that IP address from further attempts
for 5 minutes on the first occurrence, 10 minutes if it happens again, 20 minutes for a third incident, etc.).
Any successful authentication should reduce the repeat count by one.

It’s very unlikely anyone legitimate is going to source 10 failed authentications in an hour, and even if they do,
a 5 minute lockout isn’t going to be all that painful.

Owen


> On Feb 19, 2021, at 11:13 , John Sweeting <jsweeting at arin.net> wrote:
> 
> Mike, while we are not entirely sure of the motives, you have definitely outlined a few that we are looking at. See Inline:
> 
> On 2/19/21, 11:00 AM, "ARIN-consult on behalf of Mike Burns" <arin-consult-bounces at arin.net <mailto:arin-consult-bounces at arin.net> on behalf of mike at iptrading.com <mailto:mike at iptrading.com>> wrote:
> 
>    Does anybody know why ARIN and RIPE are being attacked in this way?
>    Is the purpose merely credential discovery or would access be used in a
>    nefarious way?
> 
> (JS) ARIN believes that the purpose of credential stuffing is for the purpose of using the resources associated with the account in nefarious ways. 
> 
>    In ARIN these credentials would not allow for the sale of an address block.
> 
> (JS) that is correct, the rigorous process and procedure for completing a transfer would not allow for someone that merely has access to an account resources to transfer them. 
> 
>    But they could allow for rDNS entries that would enable mailing on a
>    hijacked block.
> 
> (JS) that is correct as well and yes, we have seen instances of this in the past. We have learned that several "market places" for leasing of resources require proof of control of the IP resources in order to list them. This is one of the "prove you control these blocks" methods.
> 
>    And I suppose they could facilitate the leasing out of the block through ROA
>    generation.
> 
> (JS) Again correct, we have also confirmed that this is another "proof of control" that is used.
> 
>    Any thoughts on the reason behind these recent attacks on two RIRs?
> 
> (JS) ARIN continues to capture forensics and will absolutely cooperate with law enforcement agencies when deemed the correct course of action. ARIN is meticulously gathering and logging all forensics associated with these attacks. The numbers are somewhat staggering as noted here in a recent attack:
> 
> Login Harvesting Attack Metrics
> Invalid Password: 9,711
> Invalid Captcha: 249,205
> Invalid Username: 10,999,044
> 
> As you can see the attacks are extremely onerous and the amount of data associated with each attack makes it a challenge to identify the true aspirations of the people behind the attacks. We have developed much of the captured data and are currently in the process of analyzing it in order to develop and deploy deterrents to stop this. While we cannot go into specifics there is a significant amount of information captured in order to aid law enforcement agencies to become involved. 
> 
>    Are the attacked usernames targeted in any way, like associated with blocks
>    that aren't currently in use?
> 
> (JS) Still unable to get to that level of detail but it does appear to be true.
> 
>    Maybe if the purpose of the attackers was clear, the security solution would
>    be easier to consider.
> 
> (JS) ARIN has taken several measures to make these attempts less effective and we are currently coding additional safeguards such as the topic of this consultation. Rest assured that this is of the highest priority to ARIN. 
> 
>    Regards,
>    Mike Burns
>    IPTrading.com
> 
> 
>    -----Original Message-----
>    From: ARIN-consult <arin-consult-bounces at arin.net> On Behalf Of William
>    Herrin
>    Sent: Thursday, February 18, 2021 12:20 PM
>    To: Michael Richardson <mcr at sandelman.ca>
>    Cc: <arin-consult at arin.net> <arin-consult at arin.net>
>    Subject: Re: [ARIN-consult] Consultation on Password Security for ARIN
>    Online Accounts
> 
>    On Thu, Feb 18, 2021 at 9:06 AM Michael Richardson <mcr at sandelman.ca> wrote:
>> William Herrin <bill at herrin.us> wrote:
>>> I don't know the current state of ARIN's account recovery process
>    but
>>> unless ARIN first gets religion for it, there's not much point in
>>> forcing 2FA in the primary authentication path. "Click this email
>    link
>>> to reset your password" is single-factor and not even strong
>>> single-factor.
>> 
>> ARIN requires a phone call.
> 
>    Hi Michael,
> 
>    That's single-factor: control of a phone number.
> 
>    AT&T defended itself from a lawsuit a year or two ago where someone lost
>    millions of dollars of bitcoin because a hacker was able to get AT&T to
>    activate a new phone with their phone number and then use that to reset the
>    brokerage password. AT&T's position, which the court accepted, was that cell
>    phone service was not advertised as or secured to a standard appropriate for
>    authentication thus anyone who relied on it for such did so at their own
>    risk.
> 
>    Regards,
>    Bill Herrin
> 
> 
>    --
>    William Herrin
>    bill at herrin.us
>    https://bill.herrin.us/
>    _______________________________________________
>    ARIN-Consult
>    You are receiving this message because you are subscribed to the ARIN
>    Consult Mailing List (ARIN-consult at arin.net).
>    Unsubscribe or manage your mailing list subscription at:
>    https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
>    Member Services Help Desk at info at arin.net if you experience any issues.
> 
>    _______________________________________________
>    ARIN-Consult
>    You are receiving this message because you are subscribed to the ARIN Consult Mailing
>    List (ARIN-consult at arin.net).
>    Unsubscribe or manage your mailing list subscription at:
>    https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
>    Help Desk at info at arin.net if you experience any issues.
> 
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net <mailto:ARIN-consult at arin.net>).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult <https://lists.arin.net/mailman/listinfo/arin-consult> Please contact the ARIN Member Services
> Help Desk at info at arin.net <mailto:info at arin.net> if you experience any issues.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210226/b63c195b/attachment-0001.htm>

More information about the ARIN-consult mailing list