Imperva Study: DoS Attacks Continue to Move Up OSI Stack

Denial of service attacks continue to become increasingly prevalent in the world of the black hat, and also continue to move up the OSI stack from the network level toward the application level, according to the most recent research to be released by Imperva.

While early versions of DoS attacks that tended to focus at the network layer were aimed at shutting down server ports, the most modern strategies moved straight up the stack to the application level, according to Tal Beery, Security Researcher at Imperva, a Redwood Shores, Calif.-based company focused on application and data security.

"Web application-level denial of service is a very prevalent attack vector," said Beery. "It's often thought of as a hacktivist tool, but it's also being used for commercial purposes."

[Related: 7 Deadly Sins Of Information Security ]

id
unit-1659132512259
type
Sponsored post

Beery characterizes the level setting as a "brains over brawn proposition." Flooding a network from the low end of the stack is technically easy, he claims, but requires a lot of horsepower to bring the server to its knees. On the other hand, using a single shotgun command by exploiting a vulnerability at the application level is more technically complex, but it can take down the site with a single request without requiring the same volume of traffic. "The more you elevate, the more power you get, but you pay for it in terms of the need for greater sophistication," he said. "So hackers are traveling a learning curve and are now becoming very familiar with Web applications."

Unlike other major Web application attacks, such as SQL injection, Remote File Inclusion and cross-site scripting, denial of service attacks leverage the inherent limitations of the application, and they do not require a clearly defined vulnerability that can be patched by a software vendor.

In many cases, the effectiveness of a DoS attack is increased by dividing the initiative among numerous machines simultaneously. These distributed denial-of-service attacks (DDoS) are typically executed through large-scale botnets and servers that have been compromised through the introduction of malware.

And if the attackers are not necessarily skilled in the ways of DoS, there are a number of organizations, mostly in foreign countries, that provide DoS-as-a-service attacks in exchange for a fee. These shadowy organizations not only establish themselves, but managed to stay in business partly due to their ability to constantly shift the various components that might lead investigators in their direction.

"I think those services just go under the radar," said Beery. "And if they are careful enough, they will be using some kind of the secured anonymous payment system, and they are changing their emails and instant messaging identities and so forth. Plus, they can use bots and proxies to further conceal their identities."

The Imperva research also found that once a white-hat tool is released for general use, the creators can no longer control the direction that that tool might take. In many cases, resources that were developed to support pen testing and similar white-hat activities ended up being used by black hats against real targets.

NEXT: A Look at the Tools

One of the key tools supporting DoS attacks is Mobile LOIC, which stands for Mobile Low Orbit Ion Cannon, an open-source denial-of-service application originally written in C#. LOIC has been used in a variety of hacktivist operations and is known for its simplicity.

"LOIC has evolved into a hosted solution that eliminates the necessity of downloading software," explained Imperva's Beery. "So the attackers are creating an exploit that ensures that it reaches all the way to the application and is not being deselected by some sort of mechanism."

The introduction of the mobile variant has made the attack even easier, according to the report. The user initiates the DoS attack from a webpage that contains the required code in JavaScript and is automatically downloaded to the user’s browser and executed. The script continues to multiply and generates a new image attribute. As long as the page is open on the user’s browser, the browser continues to send the requests.

Slowhttptest is an open-source tool that implements several kinds of DoS attacks, frequently low-bandwidth Application Layer DoS attacks that amp up the memory and CPU usage on the server.

"Slowhttp is something that you have to download," said Beery. "It specializes in attacks that create loads on the server but do not require a lot of traffic from the attacker. It often uses Slowloris, which sends never-ending requests to the server. It sends a character every 59 seconds before the connection is closed at the one minute mark. So if the server can only handle 100 connections, you can bring the server down in this manner without sending a huge volume of traffic."

Slowhttp was originally designed as a testing instrument for the white-hat community but eventually made its way to the dark side, as well.

Regardless of which tactic is being used, the common denominator involves some form of extortion combined with a mechanism to pay the criminals to refrain from taking down the site without identifying the specific identities of those criminals.

Best practices for defense include the blocking of known threats as identified through unique HTTP characteristics that can provide a basis for detection; the acquisition of data on potential attack sources; the blocking of key automated processes; and the use of a stateful Anti-DoS rule engine that is able to take repetition into account. This capability is especially important because the HTTP requests associated with most DoS attacks usually appear to be non-threatening when viewed on an individual basis.

"It's also a good idea to have multidimensional defenses," added Beery. "In denial of service, there is no vulnerability, except perhaps in the design of the system because it doesn't prevent the user from flooding it. So, pen testing and other processes, such as code reviews, do not help. You want to stop the denial of service attack as close to the source of the attack as possible. You don't want them to reach all the way to the application. You need a device close to the application that can detect the denial of service and transmit the information to the ISP or to the manager."

PUBLISHED SEPT. 20, 2012