Five marks of the website being attacked by automated hacking tools

The following describes how to detect and counter the use of automated tools to attack your website's hackers.
Hackers prefer tools that use automated SQL injection and Remote File Inclusion attacks.
Attackers can use software such as sqlmap, Havij, or NetSparker to discover and exploit website vulnerabilities, which is very simple and fast, and do not even need to study specially.
There are three reasons why hackers like automatic attacks. First, and most importantly, the use of these tools only requires a very small number of technologies. In addition, developers usually use these tools as valid penetration testing tools for free on hacker forums or their websites.
In addition, they allow hackers to quickly attack a large number of websites by learning only a few technologies.
Finally, hired attackers can use these effective attack tools for a period of time, which can indeed steal or damage the server.




There is a good news:
If you can find a way to detect and block automatic attacks, you can find that hackers are automatically attacking your site. In this article, we will explore how to identify the malicious traffic generated by these automatic attack tools on your site.
I. High incoming Request Rate
One of the most critical indicators is the speed at which automatic attack tools pass in requests. According to Rob mongowald, Security strategy at data security company Imperva director, a normal user visitor cannot generate more than one http request in five seconds. On the contrary, automated attack tools usually generate more than 70 requests per minute-more than 1 request per second. Normal visitors cannot produce so many requests.
At first glance, it seems that it is very easy to find an automated hacker attack event, as long as it reaches the traffic of more than one request every five seconds, it is an automated hacker attack event. However, things are not that simple.
First, not all traffic for automated requests is malicious. For example, when Google indexes your website so that potential users can find you, a large amount of automated request traffic is generated. Not all high-rate traffic is automated attacks. For example, the content delivery network or proxy service may cause a large amount of traffic and sources, but may only aggregate many different users.
But more importantly, many mature enough hackers know that the request rate generated is too high and will be easily located. They have many strategies to avoid discovery. Mongowald warned us that hackers have many new policies to avoid being discovered. Their policies may include:
1. Intentionally slowing down or suspending the Request Rate of the attack tool. Make the traffic patterns they generate look more like normal user access.
2. Attack other websites at the same time, including using automated attack tools to send transmission requests to different target sites in turn. Therefore, although this tool generates a very high request rate, the traffic received by a single site is the same as the normal user access speed.
3. Multiple hosts are used to launch attacks. This is a more complex method for hackers to attack websites. It does not come from a single and easily identifiable IP address.
Therefore, a high incoming request rate is a clue, but it is not an absolute identifier for identifying automated attacks. We also need to find more clues.
Ii. HTTP Header
The HTTP header provides another valuable clue to the nature of incoming traffic. For example, the automated SQL Injection tools sqlmap, Havij, and NetSparker can correctly identify their own descriptive user proxy strings in the HTTP request header. This is because these tools are used for legal penetration tests (although malicious hackers also use them ). Likewise, attacks initiated by Perl scripts (Imperva points out that Perl is one of hackers' favorite programming languages) may be labeled as "libwww-perl" User proxy. Www.2cto.com
Obviously, any traffic containing the user proxy string generated by these tools should be blocked. Of course, these strings can be changed, but the unskilled "novice" hacker often does not realize this trick. Even these strings exist in the first place.
Since tools do not contain strings that can be recognized immediately, Imperva's research has found that many tools do not send multiple headers in web requests like regular browsers. The header information includes: Accept-Language and Accept-Charset headers.
A savvy hacker configures their systems to add such header information, but many hackers do not. We should be cautious if we do not have the Accept header information. If there is a high request rate at the same time, this provides a very strong indication that the traffic is malicious.
Iii. attack tool features
The various operations that the attack tool can perform are based on their encoded functions and have a limited range. Imperva found that, by analyzing the records of traffic generated by later confirmed automatic attacks, sometimes some models can be found, such as the specific strings generated in the generated SQL segment during SQL injection, it can identify the only tool that generates these strings in an attack. (Sometimes these character strings may be found in the source code of the tool ).
These features can be used to define basic rules for firewall blocking policies, but note that they may change these features in later versions of tools.
4. Abnormal geographic location
Imperva found that about 30% of High-Speed automated SQL injection attacks originated from China, while other attacks originated from "abnormal" countries such as Indonesia and Egypt. Mongowald indicates that suspicious access traffic comes from any country that is not your expected visitor. "If you are a small retail store in London, why are there visitors from China?" he said ?".
During traffic peaks, traffic from distant regions cannot prove anything. But combined with some other signs, such as the missing Accept header or a high incoming request rate, you need to carefully check and even completely block the traffic.
5. IP address blacklist
When an attack is detected, its source IP address can be recorded. Imperva's team found that automatic attacks generally come from a unique IP address, with an average time of 3 to 5 days for a single address. Some IP addresses are also used as attack sources to generate continuous malicious automatic attack traffic for several weeks or even months. This means that the IP address blacklist is very helpful to prevent malicious automatic attacks from this source. Cloud security providers can use these valuable blacklists to protect websites. These blacklists can be used to protect users' IP addresses from information provided by customers under automatic attacks.
Paul Rubens is an excellent technology reporter who has been engaged in IT security for more than 20 years. His international publications mainly include The Economist, The New York Times, The Financial Times, The Guardian, the BBC, and Computing.
Topowers by Eddie http://www.topowers.net
Http://www.esecurityplanet.com/hackers/five-signs-website-automated-attack-sql-injection-remote-file-inclusion.html.