Denial of Service Most Common Attack Vector in Second Half 2010

The second half of 2010 saw a steep rise in distributed denial-of-service attacks and other Web attacks that caused downtime, according to a new report from Trustwave's SpiderLabs.

Organizations were hit by more distributed denial-of-service attacks in the second half of 2010, and their applications were knocked offline because of poorly implemented defenses, according to a Web hacking report.

The number of DDoS attacks jumped 22 percent to become the most frequently used attack vector in the second half of 2010, Trustwave found in its semiannual Web Hacking Incident Database report, released March 14. DDoS attacks successfully disrupted commerce and brought down Websites and large organizations, the company found. More than 32 percent of all attacks in the second half of 2010 involved DDoS attacks, according to the report. SQL Injection was the second most popular vector, at 21 percent.

The primary goal appeared to be aimed at causing downtime, SpiderLabs, Trustwave's security research and testing group, wrote on its Anterior blog. Incidents that resulted in some kind of application downtime jumped 21 percent to account for 33 percent of all attacks, the report found. Defacement and leakage of information were the second and third most popular outcomes.

"This is mainly a result of ideological hacking efforts utilizing distributed denial of service (DDoS) attacks as part of the Anonymous Group versus Anti-Piracy and WikiLeaks events," wrote Ryan Barnett, the principal investigator on the report. The incidents include the attacks on PayPal and MasterCard, according to the report.

The report analyzed top outcomes, attack methods and weaknesses for vertical markets. When broken down by vertical, SQL injection attacks remained popular for government agencies and retail organizations. About 24 percent of all attacks against government agencies and 27 percent of incidents in retail were by SQL injection, the report found. The two sectors had the same application weakness: improper input handling within the application that attackers exploited the most. The most common outcome after an attack on a government agency was defacement, while credit card numbers were more likely to be stolen from retail.

In contrast, the most common attack method for financial services was stolen credentials, at 36 percent. Applications lacked, or did not have enough, authentication built-in, the report found. The financial sector suffered financial losses in 64 percent of the attacks.

"Cyber-criminals never stop trying to exploit Web applications," said Nicholas J. Percoco, senior vice president and head of SpiderLabs.

Most businesses "wrongly assume" that network hardware will stop DDoS attacks, or believe their Website will not be targeted, Trustwave found. The increase in the number of attacks in 2010 "proves" that organizations, regardless of size, need to test their applications to understand how they would fare under attack, the report said.

Along with being vulnerable to automated brute force and DoS attacks, businesses need to test their sites for cross-site-scripting flaws and that input handling does not allow SQL injection attacks, according to Barnett. Applications need to have strong authentication processes and sufficient authorization rules and be configured correctly, he said. Other top tactics included CSRF and domain name hijacking, click-fraud, and other brute force tactics to crack passwords, he said.

The WHID is a database of Web application-related security incidents and the business impact of those attacks. The latest report analyzed data from 75 incidents reported between July 2010 and December 2010. To be included in WHID, an incident must be publicly reported, be associated with Web application security vulnerabilities and have an identified outcome, Trustwave said.