Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Websites Need to Guard Against More Vulnerabilities Than Just DDoS

    By
    Robert Lemos
    -
    June 19, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Web Site Threats 2

      Studies have shown that denial-of-service attacks on Websites continue to increase in numbers and volume—doubling in the past year. Yet, weak passwords and vulnerabilities in common Website software continue to be the most significant attack vectors, according to security experts.

      Web administrators who lack knowledge about Web security, or just the time to attend to security, leave their sites open to attack by default. Weak passwords and misconfigurations are very common, and software vulnerabilities are difficult to track and fix, according to Tony Perez, CEO of Web security firm Sucuri.

      While the OpenSSL Heartbleed vulnerability, for example, is more than a year old, most Websites have not taken the necessary step to prevent abuse of compromised digital certificates. In a more recent case, e-commerce provider Magento patched its popular software in February, but two months later still half of all installations continued to be vulnerable.

      “It is almost impossible for developers to keep up with vulnerabilities,” Perez said. “They are trying to run their site, and trying to keep track of all the patches and applying them is difficult.”

      Typically, 2 to 5 percent of sites show signs of a compromise, according Sucuri’s Website scanning data. While the reported infection rates could be high—because administrators who scan their sites may already suspect a compromise—even a single percent would mean that more than 9 million sites are infected.

      The trend is not surprising. Three years ago, attackers began to focus on Web servers, eschewing home PCs, to power the botnets. Web servers typically have more bandwidth than the average home Internet connection, making a compromised server a valuable commodity for attackers. In 2013, for example, researchers discovered a botnet that used simple password guessing—attempting 10 to 100 passwords per site—to compromise more than 6,000 hosts. Researchers at both Sucuri and Akamai’s Prolexic have found botnets constructed of thousands of Websites that are used to flood victims’ networks.

      Because of its popularity, the WordPress content management system—and its plug-ins and themes—is a popular target. WordPress accounts for 24 percent of all Websites, according to W3Techs. While researchers and security-savvy developers who find WordPress flaws disclose them with the intent of speeding the patching of security issues, often their research is used by attackers before Website administrators can patch their systems, Mark Maunder, CEO of WordPress security firm Wordfence, told eWEEK.

      “Every single time a useful vulnerability is disclosed, sites are being hacked,” he said. “It’s the mom-and-pop retail businesses that have not signed into their Website for a week who are going to be hurt by these disclosures.”

      While vulnerabilities and poor passwords do more to undermine Website security, distributed denial-of-service (DDoS) attacks have become increasingly common. The increase in denial-of-service attacks is driven by two trends that are making it much easier for would-be attacker to flood targeted sites with data. Easy-to-exploit attack vectors, such as amplification attacks, and underground services, such as botnets for hire, make creating the attacks much simpler, experts said.

      Amplification attacks, for example, turn a moderate packet stream into a much larger attack, inundating targets with garbage data. Originally, attackers abused the Domain Name System (DNS) system to amplify and redirect, but miscreants have increasingly turned to other protocols: The Network Time Protocol (NTP) became popular in 2013 and, most recently, the Simple Service Discovery Protocol (SSDP).

      Home and small-office routers use SSDP to allow Universal Plug & Play (UPnP) devices to configure themselves. Attacks using SSDP account for 20 percent of all denial-of-service attacks, according to Akamai’s Q1 2015 State of the Internet – Security Report.

      “A lot of home systems are contributing to these attacks,” Eric Kobrin, director of information security at Akamai, told eWEEK in a recent interview.

      Meanwhile, more than 40 percent of all network-layer attacks—the data floods that try to overwhelm network connections—use a botnet for hire, according to Web security provider Incapsula’s Q2 Global Threat Landscape report. Such botnets allow any would-be attacker to rent out a stable of compromised computers, and Incapsula found the average price to be $38 per hour.

      The number of denial-of-service attacks have gradually increased, doubling in the last year, while—at the same time—the attacks typically last a shorter amount of time, according to Akamai. Yet, Incapsula found that 20 percent of attacks last more than five days.

      Trying to block such attacks by the origin of the packets is futile. In the first half of the year, the majority of traffic came from computers in just five countries, but they were far-flung nations on three continents: China, Vietnam, the United States, Brazil and Thailand, according to Incapsula.

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×