DDoS attacked jumped 22% in the second half of 2010, compared with the first half of the year, the WHID report found. These attacks were targeting insufficient anti-automation capabilities on the part of businesses and organizations.
“The denial of service techniques being used are aimed at the application layer; they are targeting the web server platform instead of just using a botnet to send so many requests that you flood the website’s connection to the internet”, explained Ryan Barnett, a Trustwave researcher and author of the WHID report.
“There are some newer techniques that are surprisingly effective where you don’t need a botnet of hundreds of thousands of systems…[Using these techniques] you can basically take down a website with a laptop”, he added.
The study found that most businesses wrongly assume that network hardware will stop DDoS attacks, or believe their website will not be targeted by such attacks. But the increase in this attack vector shows that businesses should test their website limitations to better understand how their applications will respond to such an attack, the report said.
“These attacks are not spoofing packets; they are actually real clients that are doing a three-way TCP handshake, actually opening up a connection, but they are not sending the web request at the same speed that a normal user would. What they are doing is opening a connection to the website and sending the data very slowly….This holds hostage your web server processes”, Barnett explained. “Networking infrastructure gear will not protect you from that”, he added.
To help specific markets better understand their respective security threats, the report also analyzes top outcomes, attack methods and weaknesses for several vertical markets. Attacks against government agencies resulted in defacement in 26% of attacks, while the finance sector experienced monetary loss in 64% of attacks, and retail was most affected by credit card leakage at 27%.
Web attacks against the financial sector were focused on stealing credentials, which made up 36% of the attack methods used against banks that resulted in money loss. “For finance, they are not as concerned about denial of service; they are more concerned about people taking over their customers’ accounts and transferring funds”, Barnett said.
On the retail sector, hackers used SQL injection 27% of the time to gain access to credit card numbers, the report found. “If you have an SQL injection vulnerability, the attackers are able to get operating system level access on your database server…they have your database server call back out to the attacker's website and pull down hacker tools, and then they install sniffers” that are able to obtain credit card numbers when they are going across the wire, Barnett explained.
Barnett said that web application firewalls can help businesses and organizations prevent the types of website attacks identified in the report. Installing a web application firewall is “step number one for organizations that have web applications that have these problems”, he added.