One Attacker With A Single PC Can Now Bring Down A Whole Server Cluster. Got Any Unhappy Customers?

Written by Frank Hayes
January 11th, 2012

The days of the classic botnet distributed denial-of-service attack may be numbered, and that isn’t necessarily good news for retail chains. On January 6, a cyberthief-friendly programmer made public a one-line attack that could enable a single attacker to bring multiple servers to their knees. That moves DDoS out of the realm of requiring a costly botnet for a high-bandwidth mass attack—and brings it into range for a single irritated teenager.

The vulnerability that attack uses is easily fixed. What’s really worrisome is what makes the attack practical: the new ability to target server weaknesses that have been known for years—but no one worried about.

The new security hole showed up between Christmas and New Year’s at the Chaos Communication Congress conference in Berlin. Researchers Alexander Klink and Julian Walde outlined a way for an attacker to chew up server CPU time by feeding a Web form thousands of carefully selected fake variable names. Because of a flaw in the way most Web application frameworks use hash tables—where variable names are stored—the right fake variable names can force searches that use up unusually large amounts of CPU resources. Pile up enough of those searches, and an attack can cripple a server.

How bad is this attack? Here is Microsoft’s security analysis, published the same day as Klink and Walde’s presentation: “This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a Web server, or even on a cluster of Web servers. For ASP.NET in particular, a single specially crafted 100kb HTTP request can consume 100 percent of one CPU core for between 90 and 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers.”

In practice, that means a single attacker with a typical home Internet connection could continuously tie up 20 CPU cores. (An attacker with a really fat connection—say, a college student with access to the ability to upload at gigabit speeds—could tie up about 30,000 processors. But that’s overkill for attacking any real-world E-Commerce site.)

It’s not hard to block this type of attack, and Microsoft and other Web application framework vendors have issued patches for the vulnerability. (To their credit, Klink and Walde actually started notifying vendors of the problem two months before they made their presentation.) But it’s the thinking behind the attack that we should be worried about.

Until now, E-tail sites have mostly been threatened with huge brute-force attacks. It was an arms race, and until last year, those attacks just kept getting bigger: Shortly after Black Friday 2010, several online retailers were hit with DDoS attacks that were 50 times the size of previous attacks.

But brute-force attacks can only get so big, and last year attackers started to get smarter.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.