Thursday, January 20, 2011

Prevent Denial of Service (DoS) Attacks

Denial of Service (DoS) attacks against web sites occur when an attacker attempts to make the web server, or servers, unavailable to serve up the web sites they host to legitimate visitors. For some time, it was thought that these types of attacks were generally used against large corporations, government sites, and activist sites as a form of protest to disrupt their web presence.

However, more small and medium businesses are beginning to see their online presence disrupted by this type of attack.

Application Denial of Service attacks have rapidly become a commonplace threat for doing business on the Internet - more proof that Web application security is more critical now than ever. Denial of Service attacks can result in significant loss of service, money and reputation for organizations. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. An HTTP Denial of Service attack can also destroy programming and files in affected computer systems. In some cases, HTTP DoS attacks have forced Web sites accessed by millions of people to temporarily cease operation.

Examples of Denial of Service attacks launched against web applications include:

* Attempts to "flood" web applications, thereby preventing legitimate user traffic
* Attempts to disrupt service to a specific system or person, e.g., blocking user access by repeated invalid login attempts resulting in the account's suspension
* Jamming the application-database connection by crafting CPU-intensive SQL queries

Risks Associated with Denial of Service Attacks

Denial of Service attacks are centered around the concept that by overloading a target’s resources, the system will ultimately crash. In the case of a DoS attack against a web application, the software is overloaded by the attack and the application fails to serve web pages properly. To crash a web server running an application, a DoS threat attacks the following services:

* Network bandwidth
* Server memory
* Application exception handling mechanism
* CPU usage
* Hard disk space
* Database space
* Database connection pool

In the past, Denial of Service attacks were thought to be a tool used by hacktivists as a form of protest. However recent attacks have shown that Denial of Service attacks can also be way for cyber criminals to profit.

By not proactively working to prevent Dos attacks, you leave your site vulnerable to:

* Extortion: Attackers threaten to continue disrupting service until payment is received.
* Sabotage: Competing businesses attack web sites to build a stronger market share.
* Brand damage: Sites that are attacked find that their reputation is hurt by lack of uptime or the perception that the site is not secure.
* Financial losses: Sites that are attacked are prevented from doing business online. The result is often a loss in sales revenue or advertising revenue.
* Other attacks: Information gathered from a successful Denial of Service attack can be used later to further attack a web site. Additionally, other vulnerabilities may be used to launch a DoS attack providing the attacker with access to more than they had originally intended.

Preventing Denial of Service Attacks

With dotDefender web application firewall you can avoid DoS attacks because dotDefender inspects your HTTP traffic and checks their packets against rules such as to allow or deny protocols, ports, or IP addresses to stop web applications from being exploited.

Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against DoS threats, cross-site scripting, SQL Injection attacks, path traversal and many other web attack techniques.

The reasons dotDefender offers such a comprehensive solution to your web application security needs are:

* Easy installation on Apache and IIS servers
* Strong security against known and emerging hacking attacks
* Best-of-breed predefined security rules for instant protection
* Interface and API for managing multiple servers with ease
* Requires no additional hardware, and easily scales with your business

How does an attacker launch a Denial of Service attack?

There are many different ways that an attacker can launch a Denial of Service attack. They range from simply unplugging a server from the network (if they have physical access) to coordinating large armies of zombie computers to launch a large scale distributed attack against their target using:

* Buffer overflows in the application functions
* Malformed data to raise unexpected exceptions
* Exploited race conditions in multi-threaded systems
* Heavy-duty SQL queries via web forms and "spamming" them with requests, e.g., inserting % characters within search query fields
* SQL Injection attacks executing recursive CPU-intensive queries
* The end users' web browsers to overload the application with parallel requests via persistent / reflected Cross-Site Scripting attacks
* Overly-complex regular expressions within search queries
* Excessively large files uploaded to the server

Most commonly, the following tactics are used in a DoS attack:
Ping Flooding

(Also known as ICMP flood, Smurf attack, Ping of death, or SYN flood)

Ping flood works by sending the target an overwhelming number of ping packets, usually using the "ping" command. It is very simple to launch and by creating traffic that exceeds the web site’s bandwidth availability, the attack is a success.

A SYN flood sends a flood of TCP/SYN packets using a forged sender address. Since the sender address is not correct, the response in the form of a TCP/SYN-ACK packet never comes leaving a half-open connection. As these connections begin to accumulate, the number of available connections becomes saturated keeping legitimate requests from successfully connecting.
Peer-to-peer attacks

Peer-to-Peer attacks are launched when the attacker causes users to disconnect from their peer-to-peer network and to connect to the victim’s website instead. Like a zombie or botnet attack, several thousand computers may be trying to connect to the victim’s site at once. If enough machines are controlled by the attacker, the overflow of connection requests can easily bring down a web application.

Unlike zombie attacks, there is no botnet so the attacker does not have to communicate with the computers he uses to launch his attack.
Application level floods

While most Denial of Service attacks exploit bandwidth, some rely on software related exploits such as buffer overflows. These attacks cause confusion in the application causing it to fill the disk space or consume all available memory or CPU cycles.
The Need to Avoid Denial of Service Attacks

Denial of Service attacks are often random when they are launched against small and medium sized web sites. When a web site is attacked that does not fall into the category of a high profile target (large corporation, government site, or activist site), the reason usually falls within one or more of the following categories:

* Grudge: An unscrupulous competitor or disgruntled former business partner or employee may wish to cripple a business's Web site for the purpose of financial gain or revenge.
* Name Confusion: The Web site's name may closely resemble one used by a well-known enterprise or personality.
* Easy Target: Most mega-corporations have already installed anti-DoS safeguards — such as security technologies and extra server and connectivity power — on their sites. Smaller businesses, with fewer resources at their disposal, are tempting targets for DoS attackers, especially those looking to hone their skills.
* Bad Luck: Sometimes there's no apparent reason for a DoS attack. An attacker may simply pick a business's domain at random, or because they like the sound of its name or the way it looks. Attackers, by nature, can be highly irrational.

Unfortunately for the victim, attacks that are unintentional yield many of the same results as those that are launched against a specific target.
Protect Yourself from Denial of Service Attacks

dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines:

Pattern Recognition, Session Protection and Signature Knowledgebase.

The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as Denial of Service attacks. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate which is important when dealing with DoS attacks as a false positive will generate the same end-result as a well coordinated DoS threat.

What sets dotDefender apart is that it offers comprehensive protection against Denial of Service and other attacks while being one of the easiest solutions to use.

In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.

No comments:

Post a Comment

MyUrduStuff

Search This Blog

My Urdu Stuff