by Michael Cobb
Risks and threats to your Web site
Web site attacks fall into two broad categories. Some threats affect the accessibility and reliability of a site, and are classified as denial-of-service (DoS) incidents. Other threats work against the content and data of a site, as intruders try to steal, modify, delete or leave something on a site. Such incidents are most commonly called cracking incidents. Two threats of particular concern are distributed denial-of-service attacks and worms.
Distributed denial-of-service (DDoS)
DDoS attacks are based on a single user controlling hundreds, if not thousands, of compromised systems remotely coordinated to execute attacks against a victim or victims. The more systems compromised, the more powerful the DDoS attack. It is extremely difficult to defend against and identify the source of such attacks. Worms are often used to initiate a DDoS attack.
Worms at war on Windows
Most current system compromises appear to be based on worm activity. Worms are automated probes that identify and exploit vulnerable systems, exponentially replicating themselves.
The most dangerous type of worm is an Internet Relay Chat (IRC) bot - short for robot. A bot is network worm whose payload runs continuously in the background, providing backdoor access to the compromised computer through IRC channels. Bots start up an IRC client, connect to a specified IRC server, which has probably been set up on a shell account and paid for with a stolen credit card, and wait there for further commands, allowing the attacker to remotely control it. By combining multiple bots, an attacker can create what is called a botnet. By leveraging the power of even a relatively small botnet, an effective distributed denial-of-service attack can easily be launched.
One of the best-known bots is W32/Agobot-RJ. There are over 500 different versions of Agobot, partly because the source code is available under the GNU General Public License - another example of hacker cooperation. Also recent worms have illustrated the ability of malicious code writers to rapidly upgrade bot networks to take advantage of new exploits.
What needs protecting?
Having looked at the enemy and the risks of running a Web site, I want to look at the four key resources that need protection. Each of these resources are looked at in further detail in other parts of Web Security School.
This is an obvious place to start, but often times servers are not stored in secure locations. Concentrating on the technical security measures is pointless if the server can be compromised by anyone with physical access to it. Every piece of equipment attached to the server, such as routers, network cables and firewalls, needs to be protected in the same manner as the server.
Every service running on the server needs to be understood and protected. Each service means more open ports and more potential holes. If possible, the Web server should be a single-function server. Under no circumstances should a system running Microsoft IIS also be a network domain controller. A domain controller manages the account security of your entire Windows networking domain. I look at how to protect your server and its services in the Lesson 1 webcast, Insider's guide to Web server security, and Lesson 2 webcast, Web attacks and how to defeat them.
A Web site's content should be delivered without compromising the server's security. Remember that your Web site's content is what most attackers are actually after. Lack of attention given to securing Web content often undoes a lot of the security measures in place elsewhere. The Lesson 3 webcast, Locking down your Web applications, deals with this issue in depth.
Security strategies conventionally focus on the network perimeter. However, you can expect to see an increase in attacks via desktops, making the security of client-side systems increasingly important. Attackers will continue to exploit the vulnerabilities in client-side software code in an attempt to find new angles of attack against Internet-based systems. The growing trend towards social engineering, and strategies such as phishing and spyware are increasing the need for security awareness amongst staff. The Lesson 3 webcast also includes security guidelines for internal workstations. (All three lesson webcasts are available for viewing on-demand.)
This was first published in June 2005