Thursday, June 23, 2011

DDoS attacks in payment gateways



A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-service
·         Unusually slow network performance (opening files or accessing web sites)
·         Unavailability of a particular web site
·         Inability to access any web site
·         Dramatic increase in the number of spam emails received-(this type of DoS attack is considered an e-mail bomb)
Denial-of-service attacks can also lead to problems in the network ‘branches’ around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by an attack, compromising not only the intended computer, but also the entire network.
If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised without the attacker’s knowledge or intent by incorrectly configured or flimsy network infrastructure equipment.
Methods of attack
·          Consumption of computational resources, such as bandwidth, disk space, or processor time.
·          Disruption of configuration information, such as routing information.
·          Disruption of state information, such as unsolicited resetting of TCP sessions.
·          Disruption of physical network components.
·          Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Hack Websites by Ddos Attack
A DoS attack is a denial of service through continued illegitimate requests for information from a site. In a DDoS attack, the hacker’s computer sends a message to all the enslaved computers to send a spoofed request to the broadcast address of the victim’s computer (x.x.x.255 if it is subnetted) with the spoofed source address (x.x.x.123 being the target IP).This is Step 1 in Figure 1.6. The router then sends the spoofed message to all computers on the subnet (in many cases, these are the victim’s own computers) that are listening (around 250 maximum), asking for a response to the ICMP packet (Step 2).Those computers each respond to the victim’s source address x.x.x.123 through the router (Step 3). In the case of DDoS, there are many computers that have been commandeered that are sending many requests to the router, making the router do many times the work, and using the broadcast address to make other computers behind the router work against the victim computer (Step 4).This then overloads the victim in question and will eventually cause it to crash, or more likely the router will no longer reliably be able to send and receive packets, so sessions will be unstable or impossible to establish, thus denying service.

An example of a DoS/DDoS attack occurred in February of 2001, when Microsoft was brought to its knees. Many industry experts believe that the attack was timed to coincide with Microsoft’s launch of a $200 million ad campaign. Ironically, the ad campaign was focused on what Microsoft refers to as “Software for the agile business.”The attack by hackers was just one more sign to the Internet industry that hackers are very much able to control sites when they feel they have a point to prove
How to protect yourself
·         The application should connect to the database using as low privilege user as is possible.
·         The application should connect to the database with different credentials for every trust distinction (e.g., user, read-only user, guest, administrators) and permissions applied to those tables and databases to prevent unauthorized access and modification.
·         The application should prefer safer constructs, such as stored procedures which do not require direct table access. Once all access is through stored procedures, access to the tables should be revoked.
·         Highly protected applications:
  • The database should be on another host, which should be locked down with all current patches deployed and latest database software in use.
  • The application should connect to the database using an encrypted link. If not, the application server and database server must reside in a restricted network with minimal other hosts.
  • Do not deploy the database server in the main office network.
Protect yourself  by ColdFusion
Role-based security is implemented by the roles attribute of the tag. The attribute contains a comma-delimited list of security roles that can call this method.
Access control is implemented by the access attribute of the tag. The possible values of the attribute in order of most restricted behavior are: private (strongest), package, public (default), and remote (weakest).
Private: The method is accessible only to methods within the same component. This is similar to the Object Oriented Programming (OOP) private identifier.
Package: The method is accessible only to other methods within the same package. This is similar to the OOP protected static identifier.
Public: The method is accessible to any CFC or CFM on the same server. This is similar to the OOP public static identifier.
Remote: Allows all the privileges of public, in addition to accepting remote requests from HTML forms, Flash, or a web services. This option is required, to publish the function as a web service.
Best Practices
·         Do not use THIS scope inside a component to expose properties. Use a getter or setter function instead. For example, instead of using THIS.myVar create a public function that sets the variable (i.e. setMyVar(value)).
·         Do not omit the role attribute as ColdFusion will not restrict user access to the function.
·         Avoid using Access=”Remote” if you do not intend to call the component directly from a URL.
Configuration
The following section describes some of the server-wide security-related options available to a ColdFusion administrator via the ColdFusion MX 7 Administrator console web application (http://servername:port/CFIDE/administrator/index.cfm). If the console application is unavailable, you can modify these options by editing the XML files in the cf_root/lib/ (Server configuration) or cf_web_root/WEB-INF/cfusion/lib (J2EE configuration) directory; however, editing these files directly is not recommended.
Best Practice
·         CF Admin Password screen
·         Enable a strong Administrator password
  • The ColdFusion Administrator is the default interface for configuring the ColdFusion application server. It is secured by a single password. Ensure that the Administrator security is enabled and the password is strong and stored in a secure place.
  • Ensure the checkbox is filled
  • Enter and confirm a strong password string of 8 characters or more
  • Click Submit Changes
Sandbox Security screen
Enable Sandbox Security
The ColdFusion Sandbox allows you to place access security restrictions on files, directories, methods, and data sources. Sandboxes make the most sense for a hosting provider or corporate intranet where multiple applications share the same server. Enable this option.
Next, a sandbox needs to be configured, because if not all code in all directories will execute without restriction. Code in a directory and its subdirectories inherits the access controls defined for the sandbox. For example, if ABC Company creates multiple applications within their directory all applications will have the same permissions as the parent. A sandbox applied to ABC-apps will apply to app1 and app2. A sample directory structure is shown below:
D:\inetpub\wwwroot\ABC-apps\app1
D:\inetpub\wwwroot\ABC-apps\app2
Note: if a new sandbox is created for app2 then it will not inherit settings from ABC-apps.
Sandbox security configurations are application specific; however, there are general guidelines that should be followed:
Create a default restricted sandbox and copy setting to each subsequent sandbox removing restrictions as needed by the application. Except in the case of files/directories where access is granted rather than restricted.
Restrict access to data sources that should not be accessed by the sandboxed application.
Restrict access to powerful tags, for example CFREGISTRY and CFEXECUTE.
Restrict file and directory access to limit the ability of tags and functions to perform actions to specified paths.
Every application should have a sandbox.
In multi-homed environments disable Java Server Pages (JSP) as ColdFusion is unable to restrict the functionality of the underlying Java server.
RDS Password screen
Enable a strong RDS password
Developers can access ColdFusion resources (files and data sources) over HTTP from Macromedia Dreamweaver MX and HomeSite+ through ColdFusion’s Remote Development Services (RDS). This feature is password protected should only be enabled in secure development environments.
Ensure the checkbox is filled
Enter and confirm a strong password string of 8 characters or more
Click Submit Changes
Use RDS over SSL - During development, you should use SSL v3 to encrypt all RDS communications between Dreamweaver MX and the ColdFusion server. This includes remote access to server data sources and drives, provided that both are accessed through RDS.
Disable RDS in Production
In production environments, you should not use RDS. In earlier versions of ColdFusion, RDS ran as a separate service or process and could be disabled by disabling the service. In ColdFusion MX, RDS is integrated into the main service. To disable it, you must disable the RDSServlet mapping in the web.xml file. The following procedure assumes that ColdFusion is installed in the default location.
1. Back up the C:\CFusionMX7\wwwroot\WEB-INF\web.xml file.
2. Open the web.xml file for editing.
3. Comment out the RDSServlet mapping, as follows:
RDSServlet
/CFIDE/main/ide.cfm
–>
4. Save the file.
5. Restart ColdFusion.
Settings Screen
Enable a Request Timeout
ColdFusion processes requests simultaneously and queues all requests above the configured maximum number of simultaneous requests. If requests run abnormally long, this can tie up server resources and lead to DoS attacks. This setting will terminate requests when the configured timeout is reached.
Fill the checkbox next to “Timeout Request after (seconds)”
Enter the number of seconds for ColdFusion to allow threads to run
To allow a valid template request to run beyond the configured timeout, place a atop the base ColdFusion template and configure the RequestTimeout attribute for the necessary amount of time (in seconds).
Use UUID for cftoken
Best practice calls for J2EE session management. In the event that only ColdFusion session management is available, strong security identifiers must be used. Enable this setting to change the default 8-character CFToken security token string to a UUID.
Enable Global Script Protection - This is a new security feature in ColdFusion MX 7 that isn’t available in other web application platforms. It helps protect Form, URL, CGI, and Cookie scope variables from cross-site scripting attacks.
Specify a Site-wide Error Handler
Prevent information leaks through verbose error messages. Specifying a site-wide error handler covers you when cftry/cfcatch are not used. This page should be a generic error message that you return to the user. Also, if the error handler displays user-input, it should be reviewed for potential cross-site scripting issues.
Specify a Missing Template Handler
Provide a custom message page for HTTP 404 errors when the server cannot find the requested ColdFusion template.
Configure a memory throttling
To prevent file upload DoS attacks, Macromedia added new configuration settings to ColdFusion MX 7.0.1 that allow administrators to restrict the total upload size of HTTP POST operations. Configure these settings accordingly.
maximum size for post data
This is the total size that ColdFusion will accept for any single HTTP POST request (including file uploads). ColdFusion will reject any request whose Content-size header exceeds this setting.
Request Throttle Threshold
HTTP POST requests larger than this setting (default is 4MB) are included in the total concurrent request memory size and get queued if they exceed the Request Throttle Memory setting.
Request Throttle Memory
This sets the total amount of memory (MB) ColdFusion reserves for concurrent HTTP POST requests. Any requests exceeding this limit are queued until enough memory is available.
Memory Variables screen
Enable J2EE Session Management and Use J2EE session variables.
Best practice requires J2EE sessions because they are more secure than regular ColdFusion sessions. (See Session Management section)
Select checkbox next to “Enable Session Variables”
Select checkbox next to “Enable J2EE session variables”
Set the maximum session timeout to 20 minutes to limit the window of opportunity for session hijacking.
Set the default session timeout to 20 minutes to limit the window of opportunity for session hijacking. (The default value is 20 minutes.)
The session-timeout parameter in the cf_root/WEB-INF/web.xml file establishes the maximum J2EE session timeout. This setting should always be greater-than or equal-to ColdFusion’s Maximum Session Timeout value.
Set the maximum application timeout to 24 hours.
Set the default application timeout to 8 hours.
Data Sources screen
Do not use an administrative account to connect ColdFusion to a data source. For example, do not use SA account to connect to a MS SQL Server. The account accessing the database should be granted specific privileges to the objects it needs to access. In addition, the account created to connect the database should be an OS-based, not a SQL account. Operating system accounts have many more auditing, password, and other security controls associated with them. For example, account lockouts and password complexity requirements are built into the Windows operating system; however, a database would need custom code to handle these security-related tasks.
Disable the following Allowed SQL options for all data sources:
Create Drop Grant Revoke Alter
As an administrator, you do not have control over what a developer sends to the database; however, there should be no circumstance where the previous commands need to be sent to a database from a web application.
Debugging Settings screen
Disable Robust Exception for production servers. (Default)
Disable Debugging for production servers. (Default)
Debugging IP Addresses
Ensure only the addresses of trusted clients are in the IP list.
Only allow the localhost IP (127.0.0.1) in the list on production machines
Mail screen
Require a user name and password to authenticate to your mail server.
Set the connection timeout to 60 seconds (The default value is 60 seconds.)
Ref: WIKIPEDIA, SYNGRESS, OWASP

1 comment:

  1. Thanks for the post. I believe that you have researched a lot before adding all this details to this post. I was not aware that coldfusion web services are capable of preventing denial-of-service attacks or distributed denial-of-service attacks.

    ReplyDelete