In July 2018 we launched our next-generation Web Application Firewall (WAF). In the period from July through December, it handled 48,180,062 requests and blocked 617,074 attacks. The majority (62%) of the attacks originated from IP addresses in the United States. The detection method for 93% of the attacks was the identification of a signature string, IP address, or URL.
Types of Attacks
The top four types of attacks which Quttera's WAF detected were distributed as follows:
- Vulnerability exploit: 438
- Shell code: 8,256
- SQL injection: 31,500
- Generic attack (malicious string, path, or IP address): 576,502
A vulnerability exploit targets a known software weakness in an operating system, application, or service. Known vulnerabilities in major software products are listed in repositories such as the National Vulnerability Database. Quttera maintains its own vulnerability database, working from the most reliable and up-to-date sources. These listings let system managers know they need to update their software, but criminals learn at the same time about ways to attack systems that aren't up to date.
Most successful exploits of vulnerabilities take advantage of outdated systems. A good software maintenance program will stop the large majority of them. Sometimes, though, dependencies on legacy code make it difficult to keep software up to date.
Vulnerabilities take many forms, and the attacks on them are just as varied. These are some of the most common ones:
- Buffer Overflow. Specially crafted requests can trick the software into writing data beyond the area which is allocated for it, overwriting code with other instructions. This code can write files to the disk, access the database, connect to a remote server, or obliterate existing information.
- Account Hijacking. The attacker can obtain information that lets it take over a logged in session. From there, it's possible to do anything the legitimate account holder could have done.
Vulnerability scan software can catch problems of this type, so system managers can find and fix the most glaring weaknesses.
There are several ways to get code into a website which will let someone who knows about it run any software on the affected site. This kind of code is called a "shell," after the command line shells which many operating systems offer. It's also called a "backdoor." The code may come from an uploaded executable file, a plugin from a disreputable source, or file access by password guessing.
The shell code is likely to be brief and obfuscated, to make it hard to catch. If it isn't caught, it can remain on the server for a long time. It can pull out data at a low rate, to avoid detection. Monitoring of network activity can catch shells through their actions. Another method is the comparison of executable files on the website with known good versions.
Web applications access the database through the SQL language. When a user submits a form, the website uses the form data to build an SQL query. If the site does this carelessly, specially crafted form fields can trick the code into submitting a query or command of the attacker's design. That's called SQL injection, and it can alter or delete tables or retrieve confidential information.
This trick isn't limited to what users can do by filling out form fields. Crooks can submit a complete POST request, as if they had filled out the form, supplying their own data. They can bypass all the checks which the form uses to validate data.
SQL injection is a special category of software vulnerability. It's a special threat to eCommerce sites, which rely heavily on forms to access customer and product databases.
Catching Malicious Inputs
Finally, we come to the largest category. It's not really a separate type of attack, but a particular type of detection which catches many kinds of attacks. It recognizes patterns or "signatures" in requests which correspond to known hacks. The variety of approaches is large.
- Path-Based Exploits. Legitimate requests should never go outside the website directory, but a poorly configured site may not protect other directories from access. If a URL contains a string like "../.." or "/usr/bin/", it's trying to get outside the Web directory and read information from other files. It might be able to get configuration or password information that way.
- Known Hostile IP Addresses. Quttera maintains a list of IP addresses that have a history of malicious activity. Requests from these addresses are filtered out.
- Query String Patterns. A variety of hacks depend on embedding a secondary URL into a request. This can trick some sites into accessing the URL, which belongs to a site that will do something nasty.
- Other Signature Patterns. Sometimes a sequence of bytes doesn't mean much in itself but is part of the "signature" that lets WAF recognize an attempt to do something bad. Some attacks vary their signature to avoid detection, but a large fraction can be caught by their predictability.
The Geographic Location of Attacks
The top 6 sources of attacks, based on geolocation of their IP addresses, were:
- Russian Federation: 18,272
- Netherlands: 18,982
- China: 25,199
- N/A: 25,966
- Canada: 29,605
- United States: 437,090
The leading position of the United States, in a category where it would rather not be a leader, may surprise many people. Other research has confirmed this pattern. The causes of this are complex. One factor is that many firewalls block or limit access from traditionally untrustworthy locations but not from the US. Dynamic updating of malicious addresses. Regardless of where they're located, it is a necessary part of security today.
Seeing the Good and the Bad
The number and variety of attempts to break into data systems are enough to give system administrators nightmares, but it isn't a reason for despair. They fall under known patterns, and a large portion of them are just variations on earlier attempts. Methods to recognize and stop them exist. Once defenses against them are in place, those attacks won't get anywhere.
Then there are the genuinely new attacks. They're smaller in number but more dangerous. That's where Quttera WAF stays on the cutting edge. It keeps up with the latest threats and uses filtering rules to identify and stop both known and zero-day requests.
Quttera WAF is part of the ThreatSign Website Anti-Malware Platform. It blocks malicious visitors. Hostile requests using SQL and XSS get blocked, along with other application layer attacks. Quttera's dedicated team of seasoned security professionals constantly maintains WAF's traffic filtering rules to keep up with the latest threats. Our scanners regularly crawl the Web, scanning millions of URLs for malware each month. As we gather this information, we immediately update the protection of our entire user community, guarding against all detected threats and potentially suspicious activity.