Denial of Service Attack

image

What is it?

A “denial of service” (sometimes called a “distributed denial of service” or DDoS) attack occurs when a system, in this case a web server, receives so many requests at one time that the server resources are overloaded the system simply locks up and shuts down. The goal and result of a successful DDoS attack is the websites on the target server are unavailable to legitimate traffic requests.

How does it work?

The logistics of a DDoS attack may be best explained by an example.

Imagine a million people (the attackers) get together with the goal of hampering Company X’s business by taking down their call center. The attackers coordinate so that on Tuesday at 9 AM they will all call Company X’s phone number. Most likely, Company X’s phone system will not be able to handle a million calls at once so all the incoming lines will tied up by the attackers. The result is that legitimate customer calls (i.e. those that are not the attackers) do not get through because the phone system is tied up handling the calls from the attackers. So in essence Company X is potentially losing business due to the legitimate requests being unable to get through.

A DDoS attack on a web server works exactly the same way. Because there is virtually no way to know what traffic is sourced from legitimate requests vs. attackers until the web server is processing the request, this type of attack is typically very effective.

Executing the attack

Due to the “brute force” nature of a DDoS attack, you need to have lots of computers all coordinated to attack at the same time. Revisiting our call center example, this would require all the attackers to both know to call at 9 AM and actually call at that time. While this principle certainly will work when it comes to attacking a web server, it becomes significantly easier when zombie computers, instead of actual manned computers, are utilized.

As you probably know, there are lots of variants of malware and trojans which, once on your system, lie dormant and occasionally “phone home” for instructions. One of these instructions could, for example, be to send repeated requests to Company X’s web server at 9 AM. So with a single update to the home location of the respective malware, a single attacker can instantly coordinate hundreds of thousands of compromised computers to perform a massive DDoS attack.

The beauty of utilizing zombie computers is not only in its effectiveness, but also in its anonymity as the attacker doesn’t actually have to use their computer at all to execute the attack.
SQL Injection Attack

image

What is it?

A “SQL injection” (SQLI) attack is an exploit that takes advantage of poor web development techniques and, typically combined with, faulty database security. The result of a successful attack can range from impersonating a user account to a complete compromise of the respective database or server. Unlike a DDoS attack, an SQLI attack is completely and easily preventable if a web application is appropriately programmed.

Executing the attack

Whenever you login to a web site and enter your user name and password, in order to test your credentials the web application may run a query like the following:

SELECT UserID FROM Users WHERE UserName='myuser' AND Password='mypass';

Note: string values in a SQL query must be enclosed in single quotes which is why they appear around the user entered values.

So the combination of the entered user name (myuser) and password (mypass) must match an entry in the Users table in order for a UserID to be returned. If there is no match, no UserID is returned so the login credentials are invalid. While a particular implementation may differ, the mechanics are pretty standard.

So now let’s look at a template authentication query which we can substitute the values the user enters on the web form:

SELECT UserID FROM Users WHERE UserName=’[user]‘ AND Password=’[pass]‘

At first glance this may seem like a straightforward and logical step for easily validating users, however if a simple substitution of the user entered values is performed on this template, it is susceptible to an SQLI attack.

For example, suppose “myuser’–” is entered in the user name field and “wrongpass” is entered in the password. Using simple substitution in our template query, we would get this:

SELECT UserID FROM Users WHERE UserName='myuser'--' AND Password='wrongpass'

A key to this statement is the inclusion of the two dashes (--). This is the begin comment token for SQL statements, so anything appearing after the two dashes (inclusive) will be ignored. Essentially, the above query is executed by the database as:

SELECT UserID FROM Users WHERE UserName='myuser'

The glaring omission here is the lack of the password check. By including the two dashes as part of the user field, we completely bypassed the password check condition and were able to login as “myuser” without knowing the respective password. This act of manipulating the query to produce unintended results is a SQL injection attack.

What damage can be done?

A SQL injection attack is caused by negligent and irresponsible application coding and is completely preventable (which we will cover in a moment), however the extent of the damage which can be done depends on the database setup. In order for a web application to communicate with the backend database, the application must supply a login to the database (note, this is different than a user login to the web site itself). Depending on what permissions the web application requires, this respective database account can require anything from read/write permission in existing tables only to full database access. If this isn’t clear now, a few examples should help provide some clarity.

Based on the above example, you can see that by entering, for example, "youruser'--", "admin'--" or any other user name, we can instantly login to the site as that user without knowing the password. Once we are in the system doesn’t know we are not actually that user so we have full access to the respective account. Database permissions will not provide a safety net for this because, typically, a web site must have at least read/write access to its respective database.

Now let’s assume the web site has full control of its respective database which gives the ability to delete records, add/remove tables, add new security accounts, etc. It is important to note that some web applications could need this type of permission so it is not automatically a bad thing that full control is granted.

So to illustrate the damage which can be done in this situation, we will use the example provided in the comic above by entering the following into the user name field: "Robert'; DROP TABLE Users;--". After simple substitution the authentication query becomes:

SELECT UserID FROM Users WHERE UserName='Robert'; DROP TABLE Users;--' AND Password='wrongpass'

Note: the semicolon is in a SQL query is used to signify the end of a particular statement and the beginning of a new statement.

Which gets executed by the database as:

SELECT UserID FROM Users WHERE UserName='Robert'

DROP TABLE Users

So just like that, we have used an SQLI attack to delete the entire Users table.

Of course, much worse can be done as, depending the SQL permissions allowed, the attacker can change values, dump tables (or the entire database itself) to a text file, create new login accounts or even hijack the entire database installation.

Preventing a SQL injection attack

As we mentioned several times previously, a SQL injection attack is easily preventable. One of the cardinal rules of web development is you never blindly trust user input as we did when we performed simple substitution in our template query above.

An SQLI attack is easily thwarted by what is called sanitizing (or escaping) your inputs. The sanitize process is actually quite trivial as all it essentially does is handle any inline single quote (‘) characters appropriately such that they cannot be used to prematurely terminate a string inside of a SQL statement.

For example, if you wanted to lookup “O’neil” in a database, you couldn’t use simple substitution because the single quote after the O would cause the string to prematurely end. Instead you sanitize it by using the respective database’s escape character. Let’s assume the escape character for an inline single quote is prefacing each quote with a \ symbol. So “O’neal” would be sanitized as “O\’neil”.

This simple act of sanitation pretty much prevents an SQLI attack. To illustrate, let’s revisit our previous examples and see the resulting queries when the user input is sanitized.

myuser'-- / wrongpass:

SELECT UserID FROM Users WHERE UserName='myuser\'--' AND Password='wrongpass'

Because the single quote after myuser is escaped (meaning it is considered part of the target value), the database will literally search for the UserName of "myuser'--". Additionally, because the dashes are included within the string value and not the SQL statement itself, they will be considered part of the target value instead of being interpreted as a SQL comment.

Robert'; DROP TABLE Users;-- / wrongpass:

SELECT UserID FROM Users WHERE UserName='Robert\'; DROP TABLE Users;--' AND Password='wrongpass'

By simply escaping the single quote after Robert, both the semicolon and dashes are contained within the UserName search string so the database will literally search for "Robert'; DROP TABLE Users;--" instead of executing the table delete.
In Summary

While web attacks evolve and become more sophisticated or focus on a different point of entry, it is important to remember to protect against tried and true attacks which have been the inspiration of several freely available “hacker tools” designed to exploit them.

Certain types of attacks, such as DDoS, cannot be easily avoided while others, such as SQLI, can. However, the damage which can be done by these types of attacks can range anywhere from an inconvenience to catastrophic depending on the precautions taken. goto www.naijazoom.com for more...

Wao Godbless you for this post, have gained a lot from it.

Thanks so much

This post here are for serious web masters! Op your a lord in this area

Make sense. Thanks Bro

Pls am yet to understand what you mean, cox am planning on creating a thread that reads "which best anti Dos attack service" to use, since Nairaland was supported by cloudflare, yet it crashed.
My P is, how do one really get rid of Dos attack?

Bossforeva: Pls am yet to understand what you mean, cox am planning on creating a thread that reads "which best anti Dos attack service" to use, since Nairaland was supported by cloudflare, yet it crashed.
My P is, how do one really get rid of Dos attack?

Bossfever, like i typed above, imagine you get 2000people calling your phone line at the same time, you won't get to answer all calls at the sametime, and its likely for your network provider to say "the number you dialed is not reacheable to the next 1,999 incoming calls" these attack was "likely" used on nairaland to prevent users from reaching the site, and other malware attack was used to corrupt and wipeoff data. you can actually prevent 'some type' of DOS attacks by using or coding a bot that rejects too many requests at the same time interval. thats why you see the nairaland stats (989 guests and 90 members in last ... minute) there's a limit where it can turn to an attack. register @ my site www.naijazoom.com and p0st U pr0blems

Naijazoom: Bossfever, like i typed above, imagine you get 2000people calling your phone line at the same time, you won't get to answer all calls at the sametime, and its likely for your network provider to say "the number you dialed is not reacheable to the next 1,999 incoming calls" these attack was "likely" used on nairaland to prevent users from reaching the site, and other malware attack was used to corrupt and wipeoff data. you can actually prevent 'some type' of DOS attacks by using or coding a bot that rejects too many requests at the same time interval. thats why you see the nairaland stats (989 guests and 90 members in last ... minute) there's a limit where it can turn to an attack. register @ my site www.naijazoom.com and p0st U pr0blems

what am asking is now eh.. What's the best anti Dos to use apart from cloudflare?

Bossforeva: what am asking is now eh.. What's the best anti Dos to use apart from cloudflare?

Can't you comprehend what she said ni

If we look at it this way, nairaland can't even be blame for the attack but their host, once you hack the host what else remains.

cbrass: If we look at it this way, nairaland can't even be blame for the attack but their host, once you hack the host what else remains.

Nairaland does not have a host. It sit's on a dedicated server, for the statement nairaland is protected by cloudflare everybody and their grandmother knows cloudflare is used by hackers, pirates, terrorist's and their like to hide their true identity.

I really doubt nairaland got hit by a ddos , the server crashed and suen and co - where not making daily or hourly backups hence the loss of data.

You only loose data when your server crashes and you have no backups, ddos do not cause data loss servers, they only swallow the available bandwith on the servers link or IP. A simple solution is to move to a better data center with 100gbps ddos protection - that should keep em crooks scratching their heads.

Another solution to ddos, it to block all originating countries but that would also chew alot of system resources - which take us back to the upstream protection from the data center and not the server.

To the question about ddos protection (if you own a server) - their very little you can do, if the attacker can eat your entire bandwith but if it's minor attack. You can protect your server with mod_evasive, fail2ban, CSF or much dedicated and less crowded cdn providers such as incapsula - whom made an excellent presentation on TTFB (time to first byte) and search engine rankings - another area cloudflare fails. Other CDN include - amazon , cdn77 just to name a few.

Dump cloudflare if you use it.

Nairaland.com
IP: 173.208.175.234
Provider: WholeSale Internet

Love_Decay:

Nairaland does not have a host. It sit's on a dedicated server, for the statement nairaland is protected by cloudflare everybody and their grandmother knows cloudflare is used by hackers, pirates, terrorist's and their like to hide their true identity.

I really doubt nairaland got hit by a ddos , the server crashed and suen and co - where not making daily or hourly backups hence the loss of data.

You only loose data when your server crashes and you have no backups, ddos do not cause data loss servers, they only swallow the available bandwith on the servers link or IP. A simple solution is to move to a better data center with 100gbps ddos protection - that should keep em crooks scratching their heads.

Another solution to ddos, it to block all originating countries but that would also chew alot of system resources - which take us back to the upstream protection from the data center and not the server.

To the question about ddos protection (if you own a server) - their very little you can do, if the attacker can eat your entire bandwith but if it's minor attack. You can protect your server with mod_evasive, fail2ban, CSF or much dedicated and less crowded cdn providers such as incapsula - whom made an excellent presentation on TTFB (time to first byte) and search engine rankings - another area cloudflare fails. Other CDN include - amazon , cdn77 just to name a few.

Dump cloudflare if you use it.

Nairaland.com
IP: 173.208.175.234
Provider: WholeSale Internet

There is something similar to this happening on my website. There is some one from either japan or china eating my bandwidth, I don't know how thwy found their way into my database. They keep posting comments into my comment column and its just rubish they put there, am tired of this don't even know what to do. Have changed my cpanel password today nw, but as of the time am posting this I have close to 42people online on my website with no new posts showing(my site is a forumn). Please what can I do?

Wow!!!
The more you live, the more you learn.

cbrass:

There is something similar to this happening on my website. There is some one from either japan or china eating my bandwidth, I don't know how thwy found their way into my database. They keep posting comments into my comment column and its just rubish they put there, am tired of this don't even know what to do. Have changed my cpanel password today nw, but as of the time am posting this I have close to 42people online on my website with no new posts showing(my site is a forumn). Please what can I do?

Add their IP address on .htaccess

My site was also attacked same day Nairaland went offline. Mine lasted for 2 days before I figured it out and block the IP.

My host suspended my account although it was fixed immediately.

Just one Indian guy.

Youngzedd:


Add their IP address on .htaccess

I have a robot that does that but haven't updated it since, some people are of the opinion that blocking ips isn't the best option has it will affect my site traffic but rather to instal some anti-spam, I guess I will have to do it my self then

Thumbs up man