One Attacker With A Single PC Can Now Bring Down A Whole Server Cluster. Got Any Unhappy Customers?
Written by Frank HayesThe days of the classic botnet distributed denial-of-service attack may be numbered, and that isn’t necessarily good news for retail chains. On January 6, a cyberthief-friendly programmer made public a one-line attack that could enable a single attacker to bring multiple servers to their knees. That moves DDoS out of the realm of requiring a costly botnet for a high-bandwidth mass attack—and brings it into range for a single irritated teenager.
The vulnerability that attack uses is easily fixed. What’s really worrisome is what makes the attack practical: the new ability to target server weaknesses that have been known for years—but no one worried about.
The new security hole showed up between Christmas and New Year’s at the Chaos Communication Congress conference in Berlin. Researchers Alexander Klink and Julian Walde outlined a way for an attacker to chew up server CPU time by feeding a Web form thousands of carefully selected fake variable names. Because of a flaw in the way most Web application frameworks use hash tables—where variable names are stored—the right fake variable names can force searches that use up unusually large amounts of CPU resources. Pile up enough of those searches, and an attack can cripple a server.
How bad is this attack? Here is Microsoft’s security analysis, published the same day as Klink and Walde’s presentation: “This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a Web server, or even on a cluster of Web servers. For ASP.NET in particular, a single specially crafted 100kb HTTP request can consume 100 percent of one CPU core for between 90 and 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers.”
In practice, that means a single attacker with a typical home Internet connection could continuously tie up 20 CPU cores. (An attacker with a really fat connection—say, a college student with access to the ability to upload at gigabit speeds—could tie up about 30,000 processors. But that’s overkill for attacking any real-world E-Commerce site.)
It’s not hard to block this type of attack, and Microsoft and other Web application framework vendors have issued patches for the vulnerability. (To their credit, Klink and Walde actually started notifying vendors of the problem two months before they made their presentation.) But it’s the thinking behind the attack that we should be worried about.
Until now, E-tail sites have mostly been threatened with huge brute-force attacks. It was an arms race, and until last year, those attacks just kept getting bigger: Shortly after Black Friday 2010, several online retailers were hit with DDoS attacks that were 50 times the size of previous attacks.
But brute-force attacks can only get so big, and last year attackers started to get smarter.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
