This is page 2 of:
One Attacker With A Single PC Can Now Bring Down A Whole Server Cluster. Got Any Unhappy Customers?
But brute-force attacks can only get so big, and last year attackers started to get smarter. They began to go after online gambling sites with attacks that targeted routers instead of Web servers. Those attacks are harder and more costly to defend against—and relatively cheaper for an attacker to launch.
Brute-force attacks require hiring botnets. That’s expensive for attackers. But the more damage an attack can do with each packet, the more cost-effective it is. Really smart attacks—like this hash-table attack—give attackers a huge bang for their buck.
Those smart attacks are also appealing to serious attackers for other reasons. At this point, data-center defenders understand botnet attacks. They can buy appliances specifically designed to filter out the problem packets. Punching through that armor is even more expensive for the bad guys. Attacks that are smarter and more targeted, on the other hand, hit E-Commerce sites where their defenses aren’t.
And although there are limited ways of marshaling botnets for a mass attack, there may be an almost endless supply of vulnerabilities like the hash-table problem that can be exploited.
And for E-tailers, that’s a problem, because so much of their online application infrastructure is a black box provided by Microsoft, IBM, Oracle or some other application framework vendor. They assume it will work, and that the vendors have built the framework so it won’t fall over under attack.
As this hash-table problem shows, that’s just not always the case. This vulnerability has been around for years. It just didn’t seem to matter, because calculating enough of the right fake variable names to launch an attack was just too much trouble for most bad guys. There were easier ways of attacking. And because it was a low-probability threat, app-framework vendors didn’t give it a lot of thought.
Now they have to—and none of them can say for sure how many other low-probability risks they’ve been ignoring for years.
And that’s just the threat from criminals who are in it for the money. What’s much worse in some ways for E-tailers is the fact that really smart attacks make it possible for small groups of script kiddies to go after big targets. Even one disgruntled teenager can make a good run at a major chain.
That means instead of an arms race, network security teams may be facing the equivalent of DDoS guerrilla warfare. And instead of defense against big, infrequent attacks, the successful strategy will be quick action against an endless stream of newly discovered vulnerabilities.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
