Websites Need to Guard Against More Vulnerabilities Than Just DDoS

Distributed denial-of-service attacks continue to hammer Websites, but software vulnerabilities and poor passwords continue to be the biggest worries.

Web Site Threats 2

Studies have shown that denial-of-service attacks on Websites continue to increase in numbers and volume—doubling in the past year. Yet, weak passwords and vulnerabilities in common Website software continue to be the most significant attack vectors, according to security experts.

Web administrators who lack knowledge about Web security, or just the time to attend to security, leave their sites open to attack by default. Weak passwords and misconfigurations are very common, and software vulnerabilities are difficult to track and fix, according to Tony Perez, CEO of Web security firm Sucuri.

While the OpenSSL Heartbleed vulnerability, for example, is more than a year old, most Websites have not taken the necessary step to prevent abuse of compromised digital certificates. In a more recent case, e-commerce provider Magento patched its popular software in February, but two months later still half of all installations continued to be vulnerable.

"It is almost impossible for developers to keep up with vulnerabilities," Perez said. "They are trying to run their site, and trying to keep track of all the patches and applying them is difficult."

Typically, 2 to 5 percent of sites show signs of a compromise, according Sucuri's Website scanning data. While the reported infection rates could be high—because administrators who scan their sites may already suspect a compromise—even a single percent would mean that more than 9 million sites are infected.

The trend is not surprising. Three years ago, attackers began to focus on Web servers, eschewing home PCs, to power the botnets. Web servers typically have more bandwidth than the average home Internet connection, making a compromised server a valuable commodity for attackers. In 2013, for example, researchers discovered a botnet that used simple password guessing—attempting 10 to 100 passwords per site—to compromise more than 6,000 hosts. Researchers at both Sucuri and Akamai's Prolexic have found botnets constructed of thousands of Websites that are used to flood victims' networks.

Because of its popularity, the WordPress content management system—and its plug-ins and themes—is a popular target. WordPress accounts for 24 percent of all Websites, according to W3Techs. While researchers and security-savvy developers who find WordPress flaws disclose them with the intent of speeding the patching of security issues, often their research is used by attackers before Website administrators can patch their systems, Mark Maunder, CEO of WordPress security firm Wordfence, told eWEEK.

"Every single time a useful vulnerability is disclosed, sites are being hacked," he said. "It's the mom-and-pop retail businesses that have not signed into their Website for a week who are going to be hurt by these disclosures."

While vulnerabilities and poor passwords do more to undermine Website security, distributed denial-of-service (DDoS) attacks have become increasingly common. The increase in denial-of-service attacks is driven by two trends that are making it much easier for would-be attacker to flood targeted sites with data. Easy-to-exploit attack vectors, such as amplification attacks, and underground services, such as botnets for hire, make creating the attacks much simpler, experts said.

Amplification attacks, for example, turn a moderate packet stream into a much larger attack, inundating targets with garbage data. Originally, attackers abused the Domain Name System (DNS) system to amplify and redirect, but miscreants have increasingly turned to other protocols: The Network Time Protocol (NTP) became popular in 2013 and, most recently, the Simple Service Discovery Protocol (SSDP).

Home and small-office routers use SSDP to allow Universal Plug & Play (UPnP) devices to configure themselves. Attacks using SSDP account for 20 percent of all denial-of-service attacks, according to Akamai's Q1 2015 State of the Internet - Security Report.

"A lot of home systems are contributing to these attacks," Eric Kobrin, director of information security at Akamai, told eWEEK in a recent interview.

Meanwhile, more than 40 percent of all network-layer attacks—the data floods that try to overwhelm network connections—use a botnet for hire, according to Web security provider Incapsula's Q2 Global Threat Landscape report. Such botnets allow any would-be attacker to rent out a stable of compromised computers, and Incapsula found the average price to be $38 per hour.

The number of denial-of-service attacks have gradually increased, doubling in the last year, while—at the same time—the attacks typically last a shorter amount of time, according to Akamai. Yet, Incapsula found that 20 percent of attacks last more than five days.

Trying to block such attacks by the origin of the packets is futile. In the first half of the year, the majority of traffic came from computers in just five countries, but they were far-flung nations on three continents: China, Vietnam, the United States, Brazil and Thailand, according to Incapsula.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...