Back to KB
Difficulty
Intermediate
Read Time
10 min

Your Login Endpoint Is Being Tested Right Now. Your Rate Limiter Thinks It's Fine.

By Codcompass Team··10 min read

Architecting Defenses Against Low-Velocity Credential Stuffing

Current Situation Analysis

Authentication security has historically been optimized for a single assumption: attackers operate with urgency. Traditional controls—per-IP rate limiting, account lockouts after N failures, velocity-based anomaly detection, and CAPTCHA challenges on failed attempts—are all tuned to interrupt high-volume, rapid-fire traffic. They assume the adversary wants to test thousands of credentials in minutes, not days.

That assumption no longer matches operational reality. Credential stuffing has evolved into low-velocity distributed testing. Threat actors now lease thousands of residential proxy endpoints, rotate user agents, and pace requests to mimic organic human behavior. Attempts are deliberately spaced across 48–168 hour windows, with each IP submitting one or two requests before rotating. The attack surface shifts from a single endpoint under heavy load to a distributed probe that never crosses individual thresholds.

The consequence is a silent detection gap. In a documented incident involving a mid-tier SaaS platform, 2.3 million credential pairs were tested against the authentication endpoint over a 47-day period. The platform had standard rate limiting, CAPTCHA on failure, and a 10-attempt lockout policy. Zero lockouts triggered. Zero CAPTCHAs were served. Zero SIEM alerts fired. The infrastructure recorded a moderate increase in failed logins, diverse residential IP ranges, and timing patterns that fell within normal variance. To every monitoring system, it looked like background noise.

This gap exists because most telemetry pipelines aggregate events at the entity level (per-IP or per-account). They lack population-level correlation. When an attacker distributes 50,000 credentials across 50,000 distinct residential IPs over three days, no single IP exceeds a threshold, no single account receives multiple failures, and no velocity spike appears in time-series dashboards. The defense architecture is structurally blind to the attack because it was never designed to correlate sparse, distributed signals into a coherent threat pattern.

The credential supply chain accelerates the problem. Breached datasets are parsed, deduplicated, and validated against high-value targets within weeks of initial compromise. Untested pairs are sold in bulk to initial access brokers, who immediately deploy them against secondary targets. Users frequently reuse passwords across unrelated services, meaning a breach at a low-security forum can directly compromise an enterprise SaaS account. The attacker does not need to break your cryptography; they only need to find a correct password being used by an unauthorized entity.

WOW Moment: Key Findings

The fundamental shift in credential stuffing defense is moving from entity-level throttling to population-level correlation. Traditional controls measure individual behavior against fixed thresholds. Low-velocity attacks exploit the mathematical gap between individual compliance and collective anomaly.

Control MechanismTrigger ConditionLow-Velocity Attack BehaviorDetection Outcome
Per-IP Rate Limiting>N requests from single IP in T window1–2 requests per residential IP, rotated every 24hNever triggered
Account LockoutN consecutive failures per account1 attempt per account, succeeds or fails onceNever triggered
Velocity Anomaly DetectionRequest volume exceeds baseline std devRequests distributed across 72h, matches organic varianceNever triggered
CAPTCHA on FailureFailed login attemptAttack succeeds on first try per accountNever served
Population CorrelationDistinct accounts × distinct IPs in sliding window800+ accounts, 1–2 attempts each, unique IPs in 24hTriggered

This finding matters because it redefines what constitutes a successful defense. Locking accounts or serving CAPTCHAs after failure is reactive and often too late. The attacker's goal is not to brute-force a single account; it is to validate a credential corpus at scale. When the password is correct, traditional failure-based controls are irrelevant. Detection must shift to contextual validation of successful sessions and population-level pattern recognition of login attempts.

Core Solution

Defending against low-velocity credential stuffing requires a three-layer architecture: population-level event correlation, contextual session validation, and adaptive friction. The implementation replaces threshold-based blocking with risk-scoring and step-up authentication.

Step 1: Population-Level Correlation Engine

Instead of tracking individual IPs or accounts, aggregate login attempts into a sliding window that measures cross-entity distribution. The goal is to detec

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

Sign in to read the full article and unlock all 635+ tutorials.

Sign In / Register — Start Free Trial

7-day free trial · Cancel anytime · 30-day money-back