Skip to content

Mitigating Credential Stuffing Attacks with IP Rotation: Strategies and Considerations 

This article covers effective strategies to fight credential-stuffing attacks using IP rotation. By Ibai Castells

Credential Stuffing Attacks with IP Rotation

Credential stuffing attacks are still a major threat to organizations worldwide. Attackers use automated tools to “stuff” usernames and passwords on different endpoints, taking advantage of the fact that many people reuse credentials across multiple platforms. These attacks become significantly harder to detect when paired with IP rotation. This allows attackers to bypass standard rate-limiting and IP-based security measures and to obfuscate the geographical origin of the attack. 

This article will cover effective strategies to fight credential-stuffing attacks using IP rotation. We will discuss user-agent-based detections, AWS API Gateway IP ranges, geofencing, multi-factor authentication (MFA), CAPTCHA, and advanced fingerprinting techniques. We will also cover the pros and cons of building in-house solutions versus using third-party tools for browser fingerprinting, as this solution has its intricacies due to data protection laws and modern browser technologies. 

User-Agent-Based Detections 

A simple way to spot malicious traffic is by checking the User-Agent (UA) strings in HTTP requests. Attackers often use automated tools with static or limited UA strings, which can be flagged as suspicious. 

  • Static or Suspicious UA Strings: Tools like cURL, Python scripts, or older browsers tend to have UA strings that can be easily identified
  • Limited Diversity: Some automated tools don’t randomize UA strings effectively, making them easier to detect. 

Action: Monitor and block requests with unusual or known bad UA strings. Additionally, keeping track of unusual User Agent strings across requests from different origins is one way to group requests from the same threat actor. This touches on the idea of browser fingerprinting, which will be discussed in more detail later in this post. 

Leveraging AWS API Gateway IP Ranges 

Attackers often use AWS API Gateway for IP rotation because tools like Fireprox and Burp Suite’s IP Rotate plugin make spinning up the required infrastructure easy and fast. 

AWS API Gateway IP Ranges

  • Publicly Available IP Ranges: AWS shares its IP ranges listed in the AWS IP Address Ranges documentation
  • Easy Identification: If your infrastructure doesn’t use AWS API Gateway, traffic from these IPs can be flagged for further review or blocked. 

Action: Cross-check incoming IP addresses with AWS API Gateway’s IP ranges. If you do not use AWS API Gateway, consider blocking or applying stricter rules to these IPs. 

Geofencing: Restricting Logins to Expected Countries 

Geofencing restricts access to your services based on geographic location. 

  • Allowlisting Trusted Countries: Only allow access from countries where your legitimate users are located and where you offer services. Ensure that employees are still able to perform their tasks if they are based in remote locations. 
  • Blocking High-Risk Regions: Deny or closely monitor traffic from areas known for cyberattacks. We all know who the usual suspects are. 

Considerations: 

  • Bypass Potential: Attackers can use VPNs or cloud services to make it look like they’re in trusted locations. 
  • Impact on Users: Make sure legitimate users who travel or live in blocked regions have other ways to access your services. 

Action: Use geofencing as one layer of your security approach, but don’t rely on it alone. 

MFA and CAPTCHA: Adding Layers of Verification 

Multi-Factor Authentication (MFA) 

MFA adds an extra layer of security by requiring users to provide multiple forms of verification before they can access their accounts. 

  • Mitigates Credential Reuse: Even if attackers get hold of valid credentials, they can’tcan’t log in without the second factor. Do not use SMS based MFA, SS7 attacks are still viable and a highly motivated threat actor with a healthy wallet will still have the pay-to-win option if they need to bypass MFA. 
  • Time for Response: This gives you a window to detect and stop unauthorized attempts. 

Action: Enforce MFA, especially for sensitive accounts or admin access. 

CAPTCHA Challenges 

CAPTCHAs are used to stop automated logins by requiring human verification. 

  • Smart Triggering: Trigger CAPTCHAs when you see unusual activity, like multiple failed login attempts or logins from new devices. 
  • Complementary Tool: Works well alongside other methods like browser fingerprinting. 

Action: Use adaptive CAPTCHAs to reduce user friction while stopping automated attacks. 

Browser and Device Fingerprinting 

When attackers use IP rotation, traditional IP-based tracking becomes less effective. Fingerprinting tracks users based on the unique characteristics of their device or browser. Although this solution provides more flexibility and visibility of clients accessing your application, it comes with some complexity due to data regulations and modern browser privacy-focused features, which we all love but can be a double-edged sword when defending your assets. 

How Fingerprinting Works 

  • Attribute Collection: Gathers info like user-agent strings, installed plugins, screen resolution, time zone, language settings, and hardware data. 
  • Unique Identifier Generation: Combines these attributes to create a unique fingerprint ID for each device or browser session. 
  • Persistent Identification: Tracks users even if they change IP addresses. 

Mitigating IP Rotation with Fingerprinting 

  • Correlate Events: Spot multiple login attempts from the same fingerprint ID, even if the IP addresses differ. 
  • Behavioral Analysis: Detect patterns that suggest credential stuffing, like rapid logins across several accounts. 

Action: Integrate fingerprinting into your security systems for better detection and response. 

Building In-House vs. Third-Party Solutions 

Building In-House 

Risks and Considerations: 

    • Technical Challenges: Browsers are adding more privacy features that interfere with fingerprinting. 
    • Evolving Landscape: Frequent updates are needed to keep up with browser changes. 
    • Regulatory Compliance: You must deal with data privacy laws like GDPR and CCPA, which might require user consent. 
    • Resource Intensive: Building and maintaining these systems requires significant effort. 

When It Makes Sense: 

    • Unique Requirements: You have specific needs that off-the-shelf solutions don’t cover. 
    • Control Over Data: You need to manage all data internally for policy or regulatory reasons. 
    • Long-Term Strategy: You want to build internal expertise and reduce reliance on external vendors. 

Third-Party Solutions 

Benefits: 

    • Efficiency and Speed: Faster to deploy compared to building something from scratch. 
    • Expertise: You get access to specialized knowledge and ongoing development. 
    • Cost-Effective: Reduces the need for extensive in-house resources. 
    • Compliance Support: Vendors often help with legal and regulatory compliance. 

Options: 

    • FingerprintJS Pro: A commercial service offering advanced fingerprinting with regular updates. 
    • CreepJS: An open-source tool useful for education, though not recommended for production use. 

Considerations: 

      • Subscription Costs: You’ll pay ongoing fees for commercial services. 
      • Data Trust: You’re relying on third parties to handle sensitive data. 

Hybrid Approach 

    • Immediate Security: Use a third-party tool like FingerprintJS Pro for quick protection. 
    • Parallel Development: Start building your in-house solution to eventually replace the third-party tool. 
    • Evaluation Period: Assess both solutions over time to see which fits best. 

Conclusion 

Credential stuffing attacks combined with IP rotation are complex threats, but they can be tackled with a multi-layered approach. Organizations can significantly improve their security by using user-agent analysis, IP range filtering, geofencing, MFA, CAPTCHA, and advanced fingerprinting. 

Whether you choose to build your solution or use third-party tools depends on your needs and resources. A hybrid approach can offer flexibility and help you adapt as your needs change.  

Success in combating these types of attacks requires careful planning, expertise, and constant monitoring. Staying proactive will help you protect your organization and users from these evolving attacks. Most importantly, as all of us involved in this industry know – cybersecurity is constantly evolving, and we must evolve with it. Creativity is one of the most powerful tools we have as humans, and applying it in these situations to create new solutions is a great way to defend our cyber estate.