Imperva Study: DoS Attacks Continue to Move Up OSI Stack


Denial of service attacks continue to become increasingly prevalent in the world of the black hat, and also continue to move up the OSI stack from the network level toward the application level, according to the most recent research to be released by Imperva.

While early versions of DoS attacks that tended to focus at the network layer were aimed at shutting down server ports, the most modern strategies moved straight up the stack to the application level, according to Tal Beery, Security Researcher at Imperva, a Redwood Shores, Calif.-based company focused on application and data security.

"Web application-level denial of service is a very prevalent attack vector," said Beery. "It's often thought of as a hacktivist tool, but it's also being used for commercial purposes."

 

[Related: 7 Deadly Sins Of Information Security]

Beery characterizes the level setting as a "brains over brawn proposition." Flooding a network from the low end of the stack is technically easy, he claims, but requires a lot of horsepower to bring the server to its knees. On the other hand, using a single shotgun command by exploiting a vulnerability at the application level is more technically complex, but it can take down the site with a single request without requiring the same volume of traffic. "The more you elevate, the more power you get, but you pay for it in terms of the need for greater sophistication," he said. "So hackers are traveling a learning curve and are now becoming very familiar with Web applications."

Unlike other major Web application attacks, such as SQL injection, Remote File Inclusion and cross-site scripting, denial of service attacks leverage the inherent limitations of the application, and they do not require a clearly defined vulnerability that can be patched by a software vendor.

In many cases, the effectiveness of a DoS attack is increased by dividing the initiative among numerous machines simultaneously. These distributed denial-of-service attacks (DDoS) are typically executed through large-scale botnets and servers that have been compromised through the introduction of malware.

And if the attackers are not necessarily skilled in the ways of DoS, there are a number of organizations, mostly in foreign countries, that provide DoS-as-a-service attacks in exchange for a fee. These shadowy organizations not only establish themselves, but managed to stay in business partly due to their ability to constantly shift the various components that might lead investigators in their direction.

"I think those services just go under the radar," said Beery. "And if they are careful enough, they will be using some kind of the secured anonymous payment system, and they are changing their emails and instant messaging identities and so forth. Plus, they can use bots and proxies to further conceal their identities."

The Imperva research also found that once a white-hat tool is released for general use, the creators can no longer control the direction that that tool might take. In many cases, resources that were developed to support pen testing and similar white-hat activities ended up being used by black hats against real targets.

NEXT: A Look at the Tools