Web Server Application Attacks 1

Web Server Application Attacks

Scott A. Lorenzen
Strayer University

Web Server Application Attacks 2
Abstract
In todays business world, most companies will have some form of Internet presence to interact
with customers. It is increasingly harder to anticipate attacks and malicious activity. In a
Verisign survey of IT decision makers 63% had experienced some form of attack in the past year,
67% said any downtime affected their customers, and 51% reported lost revenue from the
downtime. The survey shows, from IT security perspective, the importance of keeping systems
updated and monitored at all times. One-way to mitigate these forms of attacks are to use some
form of stateful inspection firewalls. One such product that uses stateful inspection by default on
all application traffic is Sophos that is an appliance or Virtual Machine. In this paper, we will
discuss three common Web application vulnerabilities and attacks with recommendations on
how to mitigate. Second, discuss the risk facing US government websites and why these
websites were not always dealt with once they were identified. Last, give recommendations on
how to best mitigate a Domain Name System Security Extension attack.
Web Server Application Attacks 3
Web Server Application Attacks
Examine three (3) common Web application vulnerabilities and attacks, and recommend
corresponding mitigation strategies for each. Provide a rationale for your response
Three of the most common Web application vulnerabilities and attacks are Denial of
Service (DoS), Distributed DoS (DDoS), and many of the different types of DDoS. First, DoS
involves four different forms of attacks such as jamming networks, flooding service ports,
misconfiguring routers, and flooding mail servers. When defending against an attack, it is best to
have a plan in place. The plan should include contact information both internal and external
resources such as ISPs, Hosting providers, and security vendors. A very basic approach is to
maintain a Black List of known IPs and Domains of known bad actors; however, maintain a list
to the most up to date information as attackers are able to migrate to new IPs and Domains you
could inflict a DoS on yourself when legitimate traffic is blocked. In the firewall appliance
Sophos, this is configurable through the Intrusion Prevention System (see Figure 1 IPS
configuration DoS).
Next DDoS is similar to a DoS attack but instead of it being a single IP address this type
of attack comes from multiple IPs and ISPs. There are several types of attacks associated with
DDoS such as FTP Bounce, Port Scanning, Ping Flooding, Smurf, SYN flooding, IP
Fragmentation, IP Sequence Prediction, DNS Cache Poisoning, SNMP, and Send Mail. An agent
(Windows Systems) or daemon (Linux Systems) installed on multiple clients with a master
controlling both. This form of agent or daemon is called a Zombie. The master sends a
command to the Zombies to begin the attack against a destination until the destination no longer
responds.
Web Server Application Attacks 4
Avoidance of an FTP Bounce attack the administrator needs to ensure the FTP daemon is
up to date on a Linux system as well as FTP services on a windows system. In addition, the
continuous monitoring of the FTP service will help with determining an attack or not. Patching
operating systems as well as network enabled printers and routers can mitigate a Ping Flood
attack against a network. Furthermore, enabling encryption of sessions on a router helps to
reduce Ping Flood attacks. Encryption ensures that a trusted host that originates outside of the
known network can securely communicate with the internal Network. A Smurf attack is a
modified Ping Flooding of a network except it is intended for a specific target. Routers
configured to deny ICMP packets broadcasted from an outside source are stopped at the router.
However, this feature should be configured on all network routers to be effective.
TCP communications have a three-way handshake when communicating between
devices. The initial connection is made with an SYN (synchronize) packet and the responding
systems sends an SYN ACK (synchronize acknowledge) in return the client responds with an
ACK (acknowledge). An SYN flooding attack begins at the response of the first SYN while the
target is awaiting the SYN ACK packet to return. By default, Windows uses a Time to Live
(TTL) of 255 hops while Linux systems configured with a TTL of 64 hops. A decrease in the
TTL can help to mitigate an SYN flooding attack as the wait time for a response shortened. In
addition, applying service packs and upgrading older systems will help against an SYC attack.
The next two types of attacks are against the Internet Protocol (IP) of the TCP/IP suite.
The first type of attack is an IPFragentation/Overlapping Fragment attack. An attacker can
change the size of the IP packet making it smaller in transit to the target. Because of the smaller
packet size routers will allow the traffic through and when the packet is reassembled at the other
end, it causes the system to become overloaded putting the original packet back together. One
Web Server Application Attacks 5
way to mitigate this type of attack is the use of ACL packet rules on all routers. With TCP/IP
communications and the fragmentation of IP packets, there is a sequence number assigned to
each packet. An attacker can establish a connection with a machine, find the next sequence
number of a packet stream, and in turn respond with the next packet sequence tricking the
machine in thinking it is talking to a different target. The attacker can then request different
services from the machine for its bidding. Most new operating systems randomize their
sequence numbers to reduce the possibility of the attack, so it is the best practice to keep your
systems up to date with the latest patches and latest operating systems. In addition, using
Intrusion Detection Systems (IDS) can mitigate the IPSequence Prediction attack.
DNSCache Poisoning uses a DNS servers cached information to redirect a website call
to another network connection. Domain Name Service (DNS) converts a Fully Qualified
Domain Name (FQDN) and converts it to a usable IP address. A DNS server will cache a look
up of an FQDN to IP so if future calls for the site does not require another query. One way to
defend against these types of attacks is to ensure running the latest DNS software. As discussed
in the publication of DNS security: poisoning, attacks and mitigation patched Windows servers
use a 2,500-port range for source port randomizing. According to the documentation, it would
take up to 3.8 days for an attacker to be successful in this type of attack when the port
randomization is in place.
Management of network devices such as routers and switches performed from a
management system uses SNMP (Simple Network Management Protocol). The default settings,
which go unchanged in many situations, is public for read-only access and private for the read-
write access to the device. The connection information is sent in clear text. The best way to
mitigate this is to shut off SNMP services if you are not going to manage your devices using
Web Server Application Attacks 6
SNMP, switch to using SNMP3 that requires an encrypted connection using credentials, simply
change the default defaults settings from public/private to some other form of community string.
Using Microsoft Visio or an open source alternative such as Dia, outline an architectural
design geared toward protecting Web servers from a commonly known Denial of Service
(DOS) attack.
In an attempt to protect Web servers from potential threats, the following
recommendation is presented (Figure 2 Architectural design for protecting web servers). To start
with, a Firewall using both IPS/IDS stateful packet inspection configured and regularly updated
in all routers in the DMZ area between firewalls. All routers, switches, and operating systems
that require SNMP management must only run SNMP3 or have the service disabled. All
operating systems updated with latest security patches on a monthly schedule. Furthermore,
quarterly Baseline Security test ran against target systems to ensure they are up to date.
Based on your research from the Network World article, examine the potential
reasons why the security risks facing U.S. government Websites were not always dealt with
once they were identified and recognized as such. All governments are known for espionage
and trickery so why not on their own networks. Many companies will configure the preverbal
honeypot network for attackers to cause confusion, report low false positives, and high-success
rates, and to help train security teams. In 2014, the latest numbers indicate that 57% of the
federal sites are now using DNSSEC on their websites that are up from the study conducted in
2013. This delay in adoption can also be a great way for government security agencies to
discover whom the real attackers are and begin to build legal cases against these same attackers.
Another possible reason for the delay is the complexity of using DNSSEC that requires all
Certificate Authority (CA) and Intermediate Authority (IA) to validate the signature of the DNS
Web Server Application Attacks 7
server supplying the specific address. As there are many CAs and IAs, which not controlled by
the government, can take time. In addition, not all sites work well with DNSSEC so a
reconfiguration of the website may also need to be done.
Suggest what you believe to be the best mitigation or defense mechanisms that would
help to combat the Domain Name System Security Extensions (DNSSEC) concerns to which
the article refers. Propose a plan that the U.S. government could use in order to ensure that
such mitigation takes place. The plan should include, at a minimum, two (2) mitigation, or
defense mechanisms. Regardless of what solution is selected an evaluation of the network is
conducted to find out if this going to be running in a mixed environment and application testing
will need to be conducted prior to roll out. In a Microsoft Windows based DNS system, two
items must be done before DNSSEC can begin. The first is the understanding that DNSSEC will
require Windows Server 2008 R2 that is available for 64-bit processors only. Second, all Active
Directory (AD) Domain Controllers will be upgraded to support the DNSSEC system.
Considerations of hardware evaluated during the discovery phase as DNS servers use three to
five times the memory of an unsigned zone, DNS server response will increase the network
traffic to and from the server. When performing validations the server CPU usage will increase
as it is validating DNSSEC data. Lastly, depending on the size of the DNS zones there will be an
increase of size of the AD database file. The next step is to configure and distribute trust
anchors. In order for this to work, all servers must be Windows 2008 R2 to support the
DNSKEY resource record. After completion, a configuration of the IPsec policy that will be
applied to all servers has to be created and tested. Once IPsec is completed, configuration
settings must be tested and pushed out to all DNSSEC aware Windows clients and any Non-
DNSSEC aware clients. All of these processes will take time and coordination, as the service
Web Server Application Attacks 8
desk will need to be a part of these changes as well as the business units. Another option is to
forgo any internal changes at all and outsource the project to an external vendor such as F5s
Global Traffic Manager that delivers a complete, real-time DNSSEC solution to protect the
system. Outsourcing can be leveraged so that as the internal systems are updated over time then
finally replacing the outsourced solution with the internal.
Web Server Application Attacks 9
References
What is a DDoS Attack and DDoS Mitigation Services - Verisign. (n.d.). Retrieved from
https://www.verisigninc.com/en_US/website-availability/ddos-protection/what-is-a-ddos-
attack/index.xhtml
Best Practice: Firewall settings guide. (2014, May 01). Retrieved from
http://www.sophos.com/en-us/support/knowledgebase/57757.aspx
Jackson, W. (2013, January 23). How to mitigate and defend against DOS attacks -- GCN.
Retrieved from http://gcn.com/articles/2013/01/23/how-to-mitigate-defend-against-dos-
attacks.aspx
Hassell, J. (2006, June 8). The top five ways to prevent IP spoofing. Retrieved from
http://www.computerworld.com/s/article/9001021/The_top_five_ways_to_prevent_IP_sp
oofing
Access Control Lists and IP Fragments. (2005, August 10). Retrieved from
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-
acl-wp.html
Agar, R., & Paterson, K. (2010). DNS security best practices to prevent DNS poisoning attacks.
Retrieved from http://www.computerweekly.com/feature/DNS-security-best-practices-to-
prevent-DNS-poisoning-attacks
Romanski, J. (2000, August 12). Intrusion Detection FAQ: Using SNMP for Reconnaissance.
Retrieved from http://www.sans.org/security-resources/idfaq/snmp.php
Marsan, C. D. (2012, May 15). 40% of U.S. government Web sites fail security test. Retrieved
from http://www.networkworld.com/article/2186860/data-center/40--of-u-s--government-
web-sites-fail-security-test.html
Web Server Application Attacks 10
Lemos, R. (2013, October 1). 5 Reasons Every Company Should Have A Honeypot. Retrieved
from http://www.darkreading.com/vulnerabilities---threats/5-reasons-every-company-
should-have-a-honeypot/d/d-id/1140595
Eland, H. (2009, October 07). CircleID. Retrieved from
http://www.circleid.com/posts/securing_a_domain_ssl_vs_dnssec/
Ayoub, R. (n.d.). How Internet Service Providers Can Use DNSSEC to Provide Security for
Customers, 1-13. Retrieved July 12, 2014, from
https://www.verisigninc.com/en_US/resource-center/index.xhtml
DNSSEC Deployment Planning. (2009, October 07). Retrieved from
http://technet.microsoft.com/en-us/library/ee649173(v=ws.10).aspx

Web Server Application Attacks 11
Figures

Figure 1. IPS configuration DoS
Web Server Application Attacks 12

Figure 2. Architectural design for protecting web servers