vADC Blog

Protecting Websites from Hack Attacks

by jyoung_1 on ‎11-29-2012 02:34 PM (2,656 Views)

Written by Raja Srinivasan and Jim Young on November 1, 2012

The most dreaded words a CIO or VP of IT is likely to hear today is : "Your web site has been hacked!".

In the last year, a group of hackers called “Anonymous” have been targeting web sites as a way to express their displeasure over various corporate activities from SOPA, to Government interference in commerce, to expressing displeasure over the Pope’s visit to Mexico.  Many of these attacks are targeted at commercial e-commerce web sites and government institutions like the FBI, CIA, Department of Justice etc.  While the main aim of these attacks appear to be just disabling the web site, they are also a prelude to other activities like stealing data from web site. These attacks often lead to...

  • Downtime
  • Revenue loss
  • Data loss
  • Hijacking

These attacks have also led to many copycat style attacks and are increasing day by day.  So what can an organization do to protect itself against these attacks?

If you are using Stingray Traffic Manager there are a few simple things you can do to help overcome some of these. We will now look at some of the options.

  1. SYN Flood. A good network firewall would help protect your web site from these type of attacks.
  2. Denial of Service Attacks. These are targeted attacks against specified web sites and are really good at consuming compute resources. Stingray Traffic Manager can help stop some of these attacks cold.  An example of how to use Traffic Script to stop these attacks is described below.
  3. SQL Injection Attacks. These often lead to data being stolen and used for nefarious activities. Using the Application Firewall Module with Stingray Traffic Manager can help stop these attacks.

Stopping Denial of Service Attacks:

One of the features in the Stingray Traffic Manager is service protection.  You can configure the service protection class in the Stingray catalog. Once defined, a service protection class is assigned to a virtual server. The limits specified in the service protection class are applied to each connection received by the virtual server. A service protection class allows configuration for connection limiting, access restrictions (blacklisted and whitelisted IP addresses), HTTP integrity checks and service protection rules. To help protect against attacks like the ones launched by The Anonymous Group, you can use the following setup:

a. Connection Limiting

This feature allows an administrator to configure limits on the number of connections that the traffic manager will allow from individual IP addresses. The settings are:

  • the number of simultaneous connections that will always be allowed from one IP address, even if it is in a group whose connections are being capped.
  • the maximum number of simultaneous connections that will be allowed from the same IP address.
  • the maximum number of simultaneous connections that will be allowed from the 10 busiest IP addresses. By combining this with the max_1_connections setting a site can be configured to allow individual users a greater number of connections when the site is not busy and then restrict the number of connections each user is allowed when you have more visitors.

b. Service Protection Rule

The rules are created using Stingray’s built-in TrafficScript language. You can construct a rule which examined both the raw URL and the Referer header.  By careful monitoring you can determine if the URL of traffic contained a specific string or the Referer contained a specific domain name. With just a few lines of TrafficScript you are now able to block the traffic. Sample code:


$rawurl = http.getRawURL();


if ( string.contains( $rawurl, “anonmsg=” ) ) {


log.info ( request.getRemoteIP() );


log.info ( $rawurl );


http.sendResponse( “403 Permission Denied”, “text/html”, “invalid request”, “”);


connection.discard();


}



$referer = http.getHeader ( “Referer” );


if ( string.contains( $referer, “dominioncoding.com” ) ) {


log.info ( $referer);


http.sendResponse( “403 Permission Denied”, “text/html”, “invalid request”, “”);


connection.discard();


}


Rate classes can also be used as part of the defense mechanism. Rate classes dynamically control the rate at which incoming requests are processed. Request rate shaping allows you to specify limits on a wide range of events, with very fine grained control over how events are identified.  You can impose per-second and per-minute rates on the events.

Using Stingray’s Service Protection Classes, Rate Classes, and configuring the Application Firewall Module would help you in defending your web site against attacks like those from the Anonymous Group and reduce  unexpected downtime. For more information please refer to the Stingray user guide.