SQL injection attacks getting out of control

Our server has now logged 51,000 attack requests in the last 4 hours. 160,000 attacks in the past 24 hours. I suspect we are getting hit so hard because we have hundreds of thousands of pages in Google. In short, these attacks are starting to grow very quickly in intensity.   We are redirecting them away from CF with mod_rewrite, so CURRENTLY there is no major problem. My concern is what we are to do if these attacks keep growing at the current rate, and we end up taking in MILLIONS of requests an hour a day or two from now.   Does anyone know of any solution? Our ISP has a firewall product (Cisco ASA firewall), but it deals on the packet level only.  It has no visibility into URLs, so we have no way right now to filter traffic based on URL parameters. Any ideas on what we are to do should things continue to worsen?

That's exactly what we are doing with URL re-writing.  Outside of an IDS system I'm not sure what else you can do. Unfortunately ISP's won't step up and filter this type of traffic. Mike Our server has now logged 51,000 attack requests in the last 4 hours. 160,000 attacks in the past 24 hours. I suspect we are getting hit so hard because we have hundreds of thousands of pages in Google. In short, these attacks are starting to grow very quickly in intensity.   We are redirecting them away from CF with mod_rewrite, so CURRENTLY there is no major problem. My concern is what we are to do if these attacks keep growing at the current rate, and we end up taking in MILLIONS of requests an hour a day or two from now.   Does anyone know of any solution? Our ISP has a firewall product (Cisco ASA firewall), but it deals on the packet level only.  It has no visibility into URLs, so we have no way right now to filter traffic based on URL parameters. Any ideas on what we are to do should things continue to worsen?

Buy stock in fiber optic production companies? (Sorry, no intelligent answer comes to mind) > Our server has now logged 51,000 attack requests in the last 4 hours. > > 160,000 attacks in the past 24 hours. > ... > Any ideas on what we are to do should things continue to worsen? >

My approach would be to filter urls longer than the longest legitimate   URL before they got to my servers. My weapon of choice would be a   Squid reverse proxy. -- Cary Gordon The Cherry Hill Company http://chillco.com On Aug 8, 2008, at 9:00 AM, Terry Ford wrote: ----- Excess quoted text cut - see Original Post for more -----

what is your rewrite rule?   I'm ok with mod-rewite, but no expert   that's for sure. Wil Genovese One man with courage makes a majority. -Andrew Jackson A fine is a tax for doing wrong. A tax is a fine for doing well.

From our Isapi RE-Write.  Should be pretty close to mod_rewrite # Helicon ISAPI_Rewrite configuration file # Version 3.1.0.54 RewriteEngine On RewriteCompatibility2 On RepeatLimit 20 RewriteBase # unsupported directive: [ISAPI_Rewrite] # CacheClockRate 300 RewriteRule ^.*DECLARE%20.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*NVARCHAR.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*sp_password.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*%20xp_.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*EXEC\(@.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*%20@.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^METHOD$ OPTIONS what is your rewrite rule?   I'm ok with mod-rewite, but no expert   that's for sure. Wil Genovese One man with courage makes a majority. -Andrew Jackson A fine is a tax for doing wrong. A tax is a fine for doing well.

Ok... here's what appears to be hitting us: http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx I decoded the hex in the attack strings I'm seeing right now, and most of them are pointing to http://sdo.1000mg.cn/csrss/w.js.     That is the Asprox botnet, which went through ASP sites a few months ago...   looks like they recruited a bunch of drones, and those drones have moved from ASP (verynx attacks) to attack CF.   Pretty ingenious really, infecting websites via injection attack in order to infect clients with browser vulnerabilities. The more CF sites that get infected, the more drones that are recruited, and the more persistent the attacks become.   In theory this should taper off as the botnet moves on to their next target.   Looks like it's hitting sites such as houseandfusion and our site hardest, which each have zillions of pages indexed in Google (they botnet chooses target pages from Google searches). Whatever the case, from what I've seen on CF-talk it appears that these attacks infected a lot of CF servers, and as such we're likely going to be targeted hard in all manners of attacks in the future.   Looks like a good lesson against CF sloppiness.     p.s. we're up to 62000 attack attempts now in 5 hours.   Still accelerating, but thankfully not exponential. Here's the rewrite I'm using.   Am no mod_rewrite expert, but it appears to be working: RewriteCond %{QUERY_STRING} .*DECLARE.* RewriteRule ^(.*)$  violation.htm [nc,L] Interesting philosophical thought:   I can't help but believe that the URL rewriting we do over much of our site (product.cfm?id=14  appearing as /product/14.html etc etc) has helped reduce the attacks significantly.   It seems to me that such URL rewriting is actually a very important security tool, as we enter a period where botnets start targetting .cfm pages.    I plan on increasing our CFM obfuscation over the coming weeks to help hide CF from the search engines and automated attacks.   Seems to me that it's a lot safer presenting your entire site as HTML to the outside world. Regards Terry --- On Fri, 8/8/08, Wil Genovese <juggler@visi.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

You are going to want to do more than filter on DECLARE. The ones below are common to the SQL injections we've seen.  We also are looking at the entire URL rather than just the query string, but it's up to you.  You can even add one in for "CAST(" if you want.  It conflicts with some things we are doing so we left it out. RewriteRule ^.*DECLARE%20.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*NVARCHAR.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*sp_password.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*%20xp_.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*EXEC\(@.*$ http://www.cybercrime.gov/ [NC] RewriteRule ^.*%20@.*$ http://www.cybercrime.gov/ [NC] Here's the rewrite I'm using.   Am no mod_rewrite expert, but it appears to be working: RewriteCond %{QUERY_STRING} .*DECLARE.* RewriteRule ^(.*)$  violation.htm [nc,L] Mike Chytracek Managing Partner Ignite Solutions

> RewriteCond %{QUERY_STRING} .*DECLARE.* > RewriteRule ^(.*)$  violation.htm [nc,L] Ok, that looks short and simple enough that maybe I can handle with 156 emails from the list. I have never used an mod_rewrites or whatever, so I guess I should put these on my VPS running MySQL and IIS6? If so, is there a simple explanation of how to do it?  Oh wait, this came from the cf-linux list.  The mod is a linux deal only, right? You guys have got me worried... Rick ----- Excess quoted text cut - see Original Post for more ----- recruited a > bunch of drones, and those drones have moved from ASP (verynx attacks) to attack CF.   Pretty ingenious > really, infecting websites via injection attack in order to infect clients with browser vulnerabilities. > > The more CF sites that get infected, the more drones that are recruited, and the more persistent the > attacks become. > > In theory this should taper off as the botnet moves on to their next target. Looks like it's hitting > sites such as houseandfusion and our site hardest, which each have zillions of pages indexed in Google > (they botnet chooses target pages from Google searches). > > Whatever the case, from what I've seen on CF-talk it appears that these attacks infected a lot of CF > servers, and as such we're likely going to be targeted hard in all manners of attacks in the future. ----- Excess quoted text cut - see Original Post for more ----- much of > our site (product.cfm?id=14  appearing as /product/14.html etc etc) has helped reduce the attacks > significantly.   It seems to me that such URL rewriting is actually a very important security tool, as > we enter a period where botnets start targetting .cfm pages.    I plan on increasing our CFM obfuscation > over the coming weeks to help hide CF from the search engines and automated attacks.   Seems to me that ----- Excess quoted text cut - see Original Post for more -----

Rick, I believe this current wave of attacks is only targeting MS SQL Server.  You mention you are using MySQL, so *this* particular attack should be of no concern to you. -Ryan Rick Faircloth wrote: ----- Excess quoted text cut - see Original Post for more -----

> Rick, I believe this current wave of attacks is only targeting MS SQL > Server.  You mention you are using MySQL, so *this* particular attack > should be of no concern to you. > What gives you that idea?  We run CF on Linux/Apache with mySQL, and we've been under attack since Thursday, although thankfully it is easing now. -- mac jordan www.webhorus.net | www.reactivecooking.com | www.nibblous.com | www.jordan-cats.org

mac jordan wrote: ----- Excess quoted text cut - see Original Post for more ----- Maybe 'targeting' was not the word to use.  The attack is coded to create MS SQL stored procedure and execute it.  The SP goes through some SQL Server specific system tables, and alters the data in them.  MySQL users are not vulnerable to this attack. -Ryan

Whew!  That's a relief! Thanks for the confirmation and explanation, Ryan! Rick ----- Excess quoted text cut - see Original Post for more -----

MySQL and PostgreSQL users may not suffer from the DB portion of the attack, however if their sites are hit hard enough with the attack it can and in some cases did act as a DDOS attack. Wil On Mon, Aug 11, 2008 at 11:16 AM, Rick Faircloth <Rick@whitestonemedia.com>wrote: ----- Excess quoted text cut - see Original Post for more -----