One Attacker With A Single PC Can Now Bring Down A Whole Server Cluster. Got Any Unhappy Customers?

The days of the classic botnet distributed denial-of-service attack may be numbered, and that isn't necessarily good news for retail chains. On January 6, a cyberthief-friendly programmer made public a one-line attack that could enable a single attacker to bring multiple servers to their knees. That moves DDoS out of the realm of requiring a costly botnet for a high-bandwidth mass attack—and brings it into range for a single irritated teenager.

The vulnerability that attack uses is easily fixed. What's really worrisome is what makes the attack practical: the new ability to target server weaknesses that have been known for years—but no one worried about.

The new security hole showed up between Christmas and New Year's at the Chaos Communication Congress conference in Berlin. Researchers Alexander Klink and Julian Walde outlined a way for an attacker to chew up server CPU time by feeding a Web form thousands of carefully selected fake variable names. Because of a flaw in the way most Web application frameworks use hash tables—where variable names are stored—the right fake variable names can force searches that use up unusually large amounts of CPU resources. Pile up enough of those searches, and an attack can cripple a server.

How bad is this attack? Here is Microsoft's security analysis, published the same day as Klink and Walde's presentation: "This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a Web server, or even on a cluster of Web servers. For ASP.NET in particular, a single specially crafted 100kb HTTP request can consume 100 percent of one CPU core for between 90 and 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers."

In practice, that means a single attacker with a typical home Internet connection could continuously tie up 20 CPU cores. (An attacker with a really fat connection—say, a college student with access to the ability to upload at gigabit speeds—could tie up about 30,000 processors. But that's overkill for attacking any real-world E-Commerce site.)

It's not hard to block this type of attack, and Microsoft and other Web application framework vendors have issued patches for the vulnerability. (To their credit, Klink and Walde actually started notifying vendors of the problem two months before they made their presentation.) But it's the thinking behind the attack that we should be worried about.

Until now, E-tail sites have mostly been threatened with huge brute-force attacks. It was an arms race, and until last year, those attacks just kept getting bigger: Shortly after Black Friday 2010, several online retailers were hit with DDoS attacks that were 50 times the size of previous attacks.

But brute-force attacks can only get so big, and last year attackers started to get smarter.But brute-force attacks can only get so big, and last year attackers started to get smarter. They began to go after online gambling sites with attacks that targeted routers instead of Web servers. Those attacks are harder and more costly to defend against—and relatively cheaper for an attacker to launch.

Brute-force attacks require hiring botnets. That's expensive for attackers. But the more damage an attack can do with each packet, the more cost-effective it is. Really smart attacks—like this hash-table attack—give attackers a huge bang for their buck.

Those smart attacks are also appealing to serious attackers for other reasons. At this point, data-center defenders understand botnet attacks. They can buy appliances specifically designed to filter out the problem packets. Punching through that armor is even more expensive for the bad guys. Attacks that are smarter and more targeted, on the other hand, hit E-Commerce sites where their defenses aren't.

And although there are limited ways of marshaling botnets for a mass attack, there may be an almost endless supply of vulnerabilities like the hash-table problem that can be exploited.

And for E-tailers, that's a problem, because so much of their online application infrastructure is a black box provided by Microsoft, IBM, Oracle or some other application framework vendor. They assume it will work, and that the vendors have built the framework so it won't fall over under attack.

As this hash-table problem shows, that's just not always the case. This vulnerability has been around for years. It just didn't seem to matter, because calculating enough of the right fake variable names to launch an attack was just too much trouble for most bad guys. There were easier ways of attacking. And because it was a low-probability threat, app-framework vendors didn't give it a lot of thought.

Now they have to—and none of them can say for sure how many other low-probability risks they've been ignoring for years.

And that's just the threat from criminals who are in it for the money. What's much worse in some ways for E-tailers is the fact that really smart attacks make it possible for small groups of script kiddies to go after big targets. Even one disgruntled teenager can make a good run at a major chain.

That means instead of an arms race, network security teams may be facing the equivalent of DDoS guerrilla warfare. And instead of defense against big, infrequent attacks, the successful strategy will be quick action against an endless stream of newly discovered vulnerabilities.