10 Tips To Stop Credential Stuffing Attacks

10 steps you should take before buying an anti-automation service (+ 1 bonus tip).

1. Use a CAPTCHA

2. Rate limit non-residential ASNs

You shouldn’t be seeing major portions of traffic from AWS, Digital Ocean, or obscure Russian cloud hosting providers. You designed your site for humans, not machines, so block traffic originating from service providers that don’t cater overwhelmingly to humans.

3. Rate limit header fingerprints of attack tools

4. Block or track headless browsers

5. Require JavaScript on your site

This is basic and a low hurdle but requiring attackers to run JavaScript or use a real browser requires more CPU power and more full featured services which increases cost.

6. Fingerprint your clients

One way to require JavaScript is to block requests to protected URLs that don’t include collected client side data. You can use a fingerprinting library like Fingerprint2 to get started collecting client-side telemetry. With this data you can see patterns in traffic that you may overlook otherwise due to it being globally distributed. Looking at IP addresses alone is not enough, you need to map client similarities across large slices of traffic to find attackers who are distributing the traffic of a small set of clients across hundreds of thousands of IP addresses.

7. Offer Multi-Factor Authentication

8. Track your login success ratio

Now that you have more data points to look into because you are tracking client and header data, you need to configure alerts on the login success ratio for the fingerprints you are tracking. You will never have legitimate traffic with a login success ratio of 0.1–10%, but credential stuffers will. Attackers running credential stuffing campaigns will be using massive credential lists (combo lists) and their hit rate is going to be close to 0%. Login success ratios that low are a massive warning sign that something is amiss.

9. Check your users’ passwords against Pwned Passwords

Pwned Passwords is Troy Hunt’s service leveraging data from Have I Been Pwned. This won’t relieve the traffic burden of credential stuffing attacks against your service but it will help against account takeovers. Note, though, Pwned Passwords and any other dark web password service can only take into account publicly exposed dark web credentials, it can’t protect against fresh credential spills that haven’t found their way onto the dark web yet. Recent credential spills have the freshest data, the most value, and sophisticated attackers who breach them hold onto the spills until they’ve extracted all the value they can. Only then is the data passed around on the dark web.

10. Consult with experts

This is not an easy problem, there are a couple dozen companies offering solutions and many more in the past who have failed. The problem looks simple and attractive enough to take on with a part-time team but it ends up consuming more resources than expected with every single company I have spoken to. If you’ve gotten this far and are still stuck then reach out to the experts. If you like what I have to say then you can contact me via my contact page on jarrodoverson.com or on twitter at @jsoverson. I work for Shape Security and we’ve been at this game for the better part of a decade.

Bonus tip: Don’t fall for the charts.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jarrod Overson

I write about JavaScript, Reverse Engineering, Security, and Credential Stuffing. Also a speaker, O'Reilly Author, creator of Plato, Director at Shape Security.