Over the last few months, I’ve started to see a common refrain from new customers coming onboard, indicating that they were getting DDOS’d with an SQL injection and needed protection. Each of these customers would describe different circumstances and impact to their websites, and the only similarity was that they all had backend databases to their websites. It made me take a deeper look into the attacks targeting some of these customers, to see if there was more to SQL injection than what the current understanding indicates. Here’s what I discovered as the most common methods for attacking a website database:
- Crafted Code Injection – this technique falls within the conventional understanding, where an attacker will inject SQL statements via user input, cookies or server variables, in an attempt to have the rogue command passed to the backend database. If the database is not secured properly, the command may get successfully executed and lead to devastating results (eg. Dump of the database, data corruption, shutdown, etc.)
- Resource Exhaustion – arguments and commands are passed at a high enough frequency to simply overwhelm the database so it cannot process legitimate transactions. The illegitimate arguments that are being passed may be invalid or just nonsensical, and therefore not executed upon, but they still require the database to review the input before discarding. By injecting a flood of these types of requests, the CPU load of the backend database starts to increase to the point it stops responding.
What we’ve seen with the Resource Exhaustion style attacks is that it often doesn’t take much in terms of packets or bits per second to make some of these database servers keel over. For those of you familiar with UDP/ICMP/SYN floods, which can be 10+ Gb/s and millions of packets per second (pps), you’ll be surprised to hear that Resource Exhaustion SQL Injections can be small as 200 kb/s as well as being only a few hundred pps, to debilitate a database and effectively bring a site down.
Regardless of what attack technique is employed, we here at DOSarrest have been able to keep customers databases operational and intact under our protection. With our ability to mitigate these types of incursions, by employing features such as:
- Managing Arguments – checking and sanitizing which arguments get passed through to our customer
- User Agent Verification – validation of http header fields to ensure that request are coming from an accepted list of browsers
- Client Validation – proprietary algorithm ensuring that a visitor to a site is in fact a real user session
- Connection Rate Limiting – discarding connections from sources that trip custom defined thresholds
as well as many more, we are able to provide solutions unique to each customers setup and requirements.
While we have been extremely successful in helping out our customers during these attacks, we still advise our customers to take preventative measures and use best case practices in designing their website code. In the next article, our Security Operations Manager, Sean Power, will be providing some useful tips and tricks in designing secure connections from your website to your backend database.
Chief Technical Officer, DOSarrest Internet Security