Credential stuffing — replaying leaked username/password pairs at scale — is one of the most common attacks on login endpoints. Here's how to detect and stop it without locking out real users.
What the attack looks like
Attackers take credential dumps and automate login attempts across many accounts, usually distributing requests across proxies to dodge per-IP limits. Most attempts fail; the few that succeed lead to account takeover.
Detection signals
- Velocity: many login attempts across accounts from one fingerprint or ASN — even when IPs rotate.
- Network fingerprint: automation stacks (JA4/QUIC) that don't match real browsers. See JA4 explained.
- IP intelligence: datacenter/proxy/VPN exits and bad-reputation ASNs.
- Failure patterns: abnormal failed-login ratios.
Why per-IP rate limiting fails
Attackers spread traffic across residential proxy networks, so each request is a "new" IP. Rate-limit by fingerprint and ASN/prefix instead — see rate-limiting strategies.
Response playbook
- High confidence bot: block or hard-throttle the login attempt.
- Medium risk: step up with a silent challenge or 2FA.
- Compromised credentials detected: force reset and notify.
detectip.ai gives an explainable verdict + action at the login call, so you apply the right response per attempt.
FAQ
Do I need to change my auth system? No — add a risk check before processing the login.
How do I avoid blocking real users? Step up verification for medium risk; reserve blocks for high-confidence automation. Start free with a key.