Websites or online services come under constant attack from hackers using automated scripts, if left unmanaged such attacks can consume sufficient resources to impact your quality of service, negatively impacting your brand. This article explains why this is a major problem and what the solution is.
Online Security Matters, Dictionary Attacks are everywhere
Every online service, no matter its complexity or size is under constant attack from hackers. One of their favourite mechanisms of attack is called the ‘dictionary attack’ – this is where they find a login page and then try to go through all realistic combinations of usernames and passwords to gain entry. For the hacker this is usually a very low cost exercise, as they are making use of either hacked machines they ‘own’ or botnets. In effect they have externalised the cost and made it someone else’s expense – so for them they can leave the scripts running 24×7 at zero cost (to them) always trying to find a way in.
The problem comes when you are on the receiving end of all these dictionary attacks, they usually do not write them to be ‘respectful’ of your need to also service genuine users – they tend to go as fast as you can respond to them, as the hacker wants to break into your website or service as quickly as possible. What this means is such scripts can cause a sizeable loading on your website and thereby impact your operational costs in a big way; this is where the caterpillars come in…
The Caterpillars are always hungry…
At home I grow a number of tomato plants, the aim being to produce a harvest of sufficient tomatoes to make it worth the effort (plus fresh tomatoes are very tasty!). The trouble is these plants also get attacked by caterpillars, which impact on the effective ‘yield’ I can achieve, i.e. how many tomato’s get ruined by the actions of the caterpillars and thereby reduce the total crop.
I have two options to deal with the caterpillar problem:
- Leave the caterpillars alone and treat it is an acceptable cost of doing business;
- Go on the defensive and actively stop the caterpillars.
Now the first may seem a rather simple but effective approach to take, I’ll just plant a few more tomato plants to get the number of tomatoes I want and cover my losses and that’s it. The trouble is the number of caterpillars at any one time do not have a strict upper bound, you may have 1 one day and a thousand the next. The caterpillars are not in on your capacity planning and are operating by their own rules – all they want is your tomatoes!
Too much data garbage
The other problem with dictionary attacks is that they can create rather a lot of ‘noise’ in your system; by this I mean creating loads of data or queries which have no value to them whatsoever. In effect its data garbage that needs to be cleaned out of your activity logs and systems logs. This can work against mechanisms of intruder detection or dynamic load management by ‘hiding’ the true patterns of usage. Causing a degraded security framework and additional costs to boot.
An Active Defence solution is the only way
The core problem is this, if you don’t actively defend yourself against such dictionary attacks, you may get away with it for 99% of the time, but there will be a day where multiple scripts all turn up at once and saturate your servers to such an extent that everything will grind to a halt in a most horrid fashion. Of course there is also the risk that the hacker may actually succeed in finding a valid username and password – if you leave them to it then it becomes just a matter of time until all hell breaks loose.
Basically active defence is not optional, it’s an essential! The cost of implementing and operating such security infrastructure need not be prohibitive, and will usually pay for itself in the reduced costs of doing business online. It also has the nice secondary benefit of letting the script kiddies know that you are onto them, in effect once they work out you are too difficult a nut to crack – they will stop (I’ve seen this happen, they are not that dumb). Remember they are running a business (admittedly an illegal one) and banging your head against security that is going to always defeat you is not a profitable undertaking. Most hackers do not have the resources to work out some custom solution to deal with your specific security, plus there are plenty of other less secure fish in the sea…
If you think you have a need for such online active security or just want to discuss it – please let in touch today – Aykira has direct experience implementing such technologies.