Brute Force Attack in Cassandra
How Brute Force Attack Manifests in Cassandra
In Apache Cassandra, a brute force attack most commonly targets the authentication layer. When a client connects over the native protocol (port 9042), the authenticator component validates credentials. If the PasswordAuthenticator is used without throttling controls, an attacker can submit millions of username/password guesses in a short time, limited only by network latency and the server’s ability to process authentication requests.
The relevant code path resides in org.apache.cassandra.auth.PasswordAuthenticator. On each connection attempt, the method authenticate(IAuthenticator auth, String username, ByteBuffer password) is invoked. Successful authentication proceeds to session creation; a failed attempt simply returns false. Without a built‑in delay or account lockout, the loop can repeat rapidly, enabling credential stuffing or password guessing attacks.
This pattern maps to OWASP API Security Top 10 2023 A2: Broken Authentication and has been observed in the wild, for example in CVE‑2020-13925 where malformed credentials could bypass checks, highlighting the importance of strong authentication controls.
# Example of a vulnerable cassandra.yaml snippet (no throttling)
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager
# missing login_attempts_throttle_ms and credentials_validity_in_ms settingsCassandra-Specific Detection
middleBrick can detect missing brute‑force mitigations by scanning the HTTP API that fronts your Cassandra cluster (e.g., DataStax Astra DB REST API or a custom gateway). Because the scan is unauthenticated and black‑box, it probes the authentication endpoint and measures the server’s response to rapid failed login attempts.
The scanner runs the following relevant checks in parallel:
- Authentication – verifies whether the endpoint requires valid credentials and whether error messages leak useful information (e.g., distinguishing "unknown user" from "wrong password").
- Rate Limiting – measures if the service imposes any delay or throttling after successive authentication failures.
- Data Exposure – checks for verbose error messages that could aid an attacker in refining guesses.
If the service returns identical rapid responses for each failed attempt without increasing latency or HTTP 429 responses, middleBrick flags a high‑severity finding under the Authentication category, noting the absence of login attempt throttling.
Example CLI usage:
middlebrick scan https://api.example.com/v1/keyspaces
The resulting JSON report (excerpt) might look like:
{
"findings": [
{
"check": "Authentication",
"severity": "high",
"description": "No detectable delay or lockout after failed login attempts; enables brute force credential guessing.",
"remediation": "Configure login_attempts_throttle_ms and credentials_validity_in_ms in cassandra.yaml; enable audit logging."
}
]
}
The Dashboard displays the same finding with a trend line, allowing you to see whether a configuration change has improved the score over time.
Cassandra-Specific Remediation
To mitigate brute force attacks on Cassandra, apply the following native controls:
- Enable and tighten authentication – ensure
authenticatoris set toPasswordAuthenticator(or an external LDAP/Kerberos plugin) andauthorizertoCassandraAuthorizer. - Introduce login throttling – add
login_attempts_throttle_ms(e.g., 2000) to impose a fixed delay after each failed attempt, and setcredentials_validity_in_msto0to prevent caching of valid credentials that could be reused. - Use role‑based access control (RBAC) – create roles with the minimum required privileges and avoid granting superuser rights to application accounts.
- Enable audit logging – set
audit_logging_optionsincassandra.yamlto captureAUTH_ATTEMPTevents; monitor for spikes in failed attempts. - Enforce strong password policy – if using PasswordAuthenticator, integrate with an external LDAP directory that enforces length, complexity, and rotation, or use the
system_authtable to store passwords with a salted hash (default) and require regular rotation via application logic.
Configuration example:
# cassandra.yaml
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager
credentials_validity_in_ms: 0
login_attempts_throttle_ms: 2000 # 2‑second delay after each failed auth
audit_logging_options:
enabled: true
included_categories: AUTH, DDL, DML
excluded_keyspaces: system_auth, system_distributed, system_schema, system_traces, system_views
After editing the file, reload the configuration on each node:
nodetool reloadtriggers
nodetool refreshsystem_auth
# or simply restart the node if preferred
Application‑side example using the DataStax Java driver:
import com.datastax.oss.driver.api.core.CqlSessionBuilder;
import com.datastax.oss.driver.api.core.auth.PlainTextAuthProvider;
PlainTextAuthProvider authProvider = new PlainTextAuthProvider("app_user", "StrongP@ssw0rd!");
CqlSession session = CqlSession.builder()
.addContactPoint(new InetSocketAddress("cassandra-node1.example.com", 9042))
.withLocalDatacenter("datacenter1")
.withAuthProvider(authProvider)
.build();
// Use session for CQL queries...
session.close();
With these controls in place, a brute force attempt will encounter a configurable delay after each failed login, greatly increasing the time required to guess credentials and allowing audit logs to trigger alerts before an attacker succeeds.