Threat description: Applications can be attacked from many sides. One type of attack focuses its impact on driving application service levels down. The attack tries to overwhelm the server with activity so as to impact application performance even to the point of bringing the web service down. Distributed Denial of Service (DDOS) attacks have historically been the most well know attacks in this category. DDOS attacks harness the power of many “hijacked” computers to flood a site with multiple requests for pages or other server services in a coordinated effort to drown the server. With the advent of smarter firewalls and other monitoring tools the occurrence of successful DDOS attacks on prepared servers has dramatically decreased. Any over-active, suspicious activity from a specific IP address, or set of IP addresses, trigger a screening process that filter traffic from those IP addresses keeping it from ever affecting server services.
Through our efforts to assist customers in securing their web-based applications we have discovered a new breed of Application Performance attack. These attacks now being directed at servers are much more insidious. The principles are the same as a DDOS attack but instead of overloading the server at once with a huge level of traffic, the traffic is distributed throughout the day on an ongoing basis. If IP spoofing is used then a smaller number of computers can be used in the attacks as the spoofed IP addresses appear to be from many different sources, allowing one computer to provide a high level of attack traffic. The time of day distribution and IP address spoofing prevents any one IP address from triggering any automated alerts. The traffic is modeled after the same patterns of legitimate traffic and is centered during the hours that typically provide the peak levels of volume. Increasing traffic in the middle of the night is avoided as it makes the traffic obvious to any active monitoring. Large numbers of computers are still used for this type of an attack but the goal is not to crash the server, but instead to drive traffic levels way up.
Threat impact if not remedied: This causes increased costs for network bandwidth, hard disk space (logging), CPU cycles and even resource time spent trying to diagnose the slowed performance of the server. In addition to the increase in variable costs, these attacks significantly affect performance. If this type of attack goes undetected and the increased traffic is mistaken for legitimate traffic then the possibility exists that an organization might even resize their infrastructure to accommodate the perceived increased interest through the bogus increase in traffic levels.
Service levels delivered by the application can clearly be affected through the slowed performance and potential down-time resulting from the attacks. For commercial sites that rely on transactional revenue this can obviously impact that revenue, and depending on the duration of down-time can even be ruinous to their business. On the web, competition is only a click away.
Countermeasure approach: The countermeasures for this type of attack is multifaceted. There are commercial tools that can easily detect and prevent IP spoofing readily available on the market today. We can review your specific infrastructure and recommend an IP spoofing detection strategy or toolset. Some firewall products offer it as a feature and some Operating systems even offer a measure of IP Spoofing detection.
However the more complex task is to identify unwanted traffic and to eliminate it. The concept is to build a filter application that is called wherever the application itself is called. The filter application is predicated on IP spoofing being in place and functioning correctly. The application has a staged verification process that first logs all requests on the server for later reference. Secondly the filter evaluates the IP source address against a list of blocked addresses. Thirdly if the IP address passes the blocked list the traffic level is measured to see if it over a predefined threshold of acceptable levels. These thresholds are parameter and rule driven and are established by the business to ensure that they do not block legitimate traffic. Measures such as requests per minute, per hour or per day can be used separately or together. The logged requests are the source for the frequency measures. There is a process we have employed to stage an address into the blocked list so that legitimate users do not get accidentally blocked.
Tip: When creating filter applications you must ensure you do not accidentally prevent search engine robots from accessing your site. The robots come at varying intervals and sometime may trigger your filter to block them. The way around this is to also create a “ok to submit” list in the same way as you have a blocked address list and ensure the robots are properly referenced on this list.
Tip #2: As a rule consider all HTTP request to be suspect as they are easily forged. Look deeper for legitimate data.
Tip #3: Treat your web application as the mission critical application it is. Read the logs and spend the appropriate amount of time managing and maintaining your application.
Lior Izik - CEH, GWAS
