July 24, 2012

Back-end database denial of service

One of the more common attacks I have stumbled upon in the course of working with information security is denial of service - an attack which causes the system to stop responding due to  exhaustion of resources and connections.
There are many types of denial of service attacks, each targeted at a different application and network level, and the new ones appear all the time; However, one such attack that I would like to share with you targets back-end databases.

How does it work?
This attack is based on the inability of the database to handle with big results in a short period of time due to running a query from the application server. For example, a malicious user or bot is able to query the web application for a search result, which will be translated to the following query in the back-end database:
SELECT id, subject, data FROM objects WHERE subject LIKE '%' + $search + '%'
The query gets the parameter $search from the application server and uses wildcards ('%') in the search result. Thus, if the database returns many rows in the result, then it might take some computing time, nevertheless it is still fast in our terms.
If a malicious user is able to query the application server many times in such way that each query will respond with many results, then the attack can be executed successfully. As a result, the database server will not be able to supply resources to send back the result since the CPU will be overloaded or the RAM will be full.

Most of the important\critical internet servers are found behind load balancers, with clusters and another application security products (Web Application Firewall, DB Firewall). If the application security products are able to perform statistics on the requests, then the attack can be restrained partially.

Query methods
1. Activate a bot to send HTTP requests to application server.
2. Malicious\Exploited web sites can include an IFRAME that posts the request.
3. User can perform multiple requests from the browser using multiple IFRAMES or JavaScripts.

1 comment: