Attacks/Breaches
9/20/2011
09:52 AM
Connect Directly
RSS
E-Mail
50%
50%

8 Techniques To Block SQL Attacks

SQL injection attacks hit Web applications 71 times per hour on average, but can peak at 1,300 unique attacks per hour or more. Consider this security advice to stop SQL attacks.

On average, Web applications see 71 attempted SQL injection attacks per hour. But during attack peaks, Web applications can see 1,300 unique attacks per hour.

Those findings come from security vendor Imperva, which on Monday released new research into SQL injection attacks. For its study, Imperva said it monitored 30 different Web applications--all of them real, of varying size, and used across different industries--during the past nine months. In that timeframe, Imperva saw the number of daily SQL injection attacks launched against Web applications increase by an average of 34%.

Attacks against Web applications, unfortunately, were already quite effective. Since 2005, Web attacks have accounted for 83% of successful hacking-related data breaches, according to Privacy Rights Clearinghouse. The reason is simple: Most Web applications have vulnerabilities that can be easily exploited by attackers.

The availability of automated penetration testing tools eases the work. Just on the SQL injection front, for example, open source Sqlmap can launch five different types of SQL injection attacks. Also popular--and used by LulzSec, among others--is Havij, an automated Windows SQL injection tool distributed by Iranian security company ITSecTeam. Both tools can fingerprint (identify) individual databases, retrieve username and password hashes, dump columns and tables, run SQL, and sometimes even executive commands via the database server operating system.

[Anatomy of a Zero-Day Attack: Pacific Northwest National Laboratory CIO Jerry Johnson takes you inside the cyber attack that he faced down--and shares his security lessons learned.]

With such tools in circulation, and Web application vulnerabilities at large, what can businesses do to better safeguard themselves? When it comes to stopping SQL injection attacks, start with these pieces of advice:

1. Blacklist malicious hosts. Nearly one-quarter of SQL injection attacks seen by Imperva in July, 2011 came from just three hosts. Furthermore, half of the top 10 hosts that launched SQL attacks generated up to 2,000 attacks over a period of between one and seven days, and 30 more hosts generated at least 100 attacks over a 48-hour period. All of this means that the most dangerous hosts can be identified, and then blacklisted against database access.

2. Pool resources. Businesses that share intelligence on SQL injection attacks could have a better picture of which hosts were launching such attacks. That said, according to Imperva, "the update rate of the blacklist must be high in order to keep up with new threats," because on average hosts only remain active for half a day.

3. Minimize access. Restrict the data that any given Web application can retrieve from a database. Never allow admin-level access to a database from a Web application.

4. Encrypt data. Never store data in plain text format. Rather, encrypt data, and at least salt and hash passwords, so that if attackers do manage to dump your database, they'll extract fewer pieces of high-value information.

5. Distrust users. "All input is evil." That's one essential Web application security mantra, according to Microsoft. What it means is that in an ideal scenario, Web application developers would only allow the inputs that they expect to receive, and would block all others.

6. Profile applications. Understand normal Web application behavior, so you can quickly identify when the application is behaving abnormally, such as attempting to execute many more database lookups than normal, or using unusual inputs.

7. Normalize inputs. Normalize database inputs--"to avoid evasion attempts," said Imperva--then compare them against a database of known-bad inputs, to spot in-progress attacks.

8. Watch for automation. Since most SQL injection attacks are launched using automated tools, watch for indications of this technique. According to Imperva, "various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges."

The above techniques will help IT teams block SQL injection attacks. They won't stop every last Web application attack, but given the prevalence of vulnerabilities in those applications, as well as attackers' ability to successfully exploit the flaws, businesses can use all of the help that they can get.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.