Detection Scenario

VPN brute-force detection

Failed login counts alone are not enough. Source distribution, timing intensity, username pattern, and the follow-up successful login should be evaluated together.

Important signals

Rapid attempts from multiple IPs against the same user, or one IP trying many usernames followed by a successful VPN session, forms a high-risk pattern.

Why correlation matters

Because these attacks are no longer tied to a single IP or a single time window. Distributed patterns require state-aware tracking.

FAQ

Why can password spraying be missed?

Because each IP may attempt only a few logins. Single-source thresholds may never trigger, so the full pattern must be tracked.

VPN brute-force detection | Bivoxy