In-Depth

Web Site Attacks Continue to Rise Sharply

• By Mathew Schwartz
• 05/04/2005

Attacks against Web sites, including Web-site defacements, are on the rise.

According to information released last week at the Infosecurity Europe conference in London, attacks against Web servers increased 36 percent from 2003 to 2004. All told in 2004, there were almost 393,000 such attacks.

Those findings come from Zone-H, a site used to report attacks against Web servers. Volunteers at Zone-H receive about 2,500 notifications every day, which they verify with the sites attacked. Notifications must include a timestamp for the attack, the software of the attacked Web server, the operating system, technical details, and the attacker’s motivation. In other words, attackers self-report their exploits.

According to the results, 55 percent of reported server hacks result from two relatively preventable problems: systems not being patched against known vulnerabilities, and configuration errors. Since Zone-H began its tracking in 2002, the prevalence of these two types of attacks has remained constant. So “the phrase ‘patching helps’ is actually true,” notes Roberto Preatoni, founder of Zone-H and CEO of Tallinn, Estonia-based Domina Security.

Beyond known vulnerabilities and configuration errors, the third most-used attack type is taking advantage of a vulnerability that isn’t known publicly. While it’s difficult to guard against such attacks, organizations lately have been using virtual patching to help. Finally, less-frequently used attacks included brute-force attacks and social engineering.

Holiday Hacking

In terms of timing, hacking is a popular holiday-time activity. In fact, in 2004, “the traditional Christmas holidays defacement spree,” says Preatoni, began on December 8, with 1,216 recorded attacks against individual IP addresses that day. Only January 20, 2004, overshadowed that, with 2,296 attacks that day against IP addresses. Yet despite the January spike, on average over the course of 2004, the number of such attacks almost doubled.

For Web site defacements, the biggest day of activity was April 14, 2004, when 6,320 sites were defaced. Again, December also saw many attacks, as did March 19, the anniversary of the start of the Iraq War. In fact, the number of attackers reporting “patriotism” as their attack motivation increased by 400 percent from 2002 to 2004.

Evidently attackers find “Web defacement a valuable method of mass communication,” notes Preatoni. He emphasizes “communication” instead of damage, because attackers don’t have to stop at defacement. “Defacement is just one option for an attacker; in most circumstances the techniques used by defacers are the same techniques used by serious criminals to cause more serious damage.”

Last year, U.S. government servers were also hacked a reported 52 times. Attackers often used SQL injection attacks or took advantage of misconfigured FrontPage extensions.

Attacks against Web servers also increased markedly. For servers running Apache, attacks increased from about 4,000 in January 2004, to 6,000 by the end of that year. In the same timeframe, attacks targeting Microsoft IIS servers increased from about 1,000 to over 4,000. Given those increases, “companies need to make protecting their Web servers and applications a top security priority, or they could subject their customers to some of the most popular cybercrimes today—including identity theft,” notes Vik Desai, CEO of Stamford, Conn.-based Kavado, an application security vendor.

Of course, some types of attacks, including identity theft, are driven by financial motives, and “as companies continue to move their core businesses online, increasingly sophisticated hackers are finding new ways to bypass existing network-layer security in order to access personal and corporate financial data,” says Desai.

With attacks against Web servers on the increase, Zone-H’s Preatoni also sounds a cautionary note about an emerging technology: voice over IP (VoIP) telephony. “Once GSM telephone platforms are replaced by VoIP or 3G phones which work in the same way as Internet servers—they each might have their own IP address—the number of Web servers will increase to 1.5 billion,” he warns.

The marked increase in servers could present security managers with yet another "patch or perish” challenge, since “each of these phones or terminals will be potentially subject to the same vulnerabilities as traditional Web servers and personal computers."

Related Articles:

Best Practices in VoIP Security
http://www.esj.com/Security/article.aspx?EditorialsID=1299

Case Study: Virtual Patches Defend Web Applications
http://www.esj.com/Security/article.aspx?EditorialsID=1273

Patch or Perish: Symantec Notes Dramatic Increase in Threats
http://www.esj.com/Security/article.aspx?EditorialsID=1136