Denial of Service

Denial of Service (DoS) is a general attack category in which access to network applications or data is denied to intended users. DoS conditions can be created via many techniques. The most common technique used in database environments is to overload server resources such as memory and CPU by flooding the network with database queries that ultimately cause the server to crash. The motivations behind DoS attacks are often linked to extortion scams in which a remote attacker will repeatedly crash servers until the victim meets their demands. Whatever the source, DoS represents a serious threat for many organizations.

Mitigation

  • Discovery and Assessment

Scan for Vulnerabilities: Understanding vulnerabilities that expose databases to SQL injection is essential. Malware may be looking to exploit known database vulnerabilities, making un-patched databases an easy target. Weak authentication rules can enable a DoS attack by granting access to a database without needing a password. Use vulnerability assessment tools to detect security vulnerabilities, misconfigurations, and missing vendor patches. Assessments should use industry best practices for
database security, such as DISA STIG and CIS benchmarks.

Mitigate Vulnerabilities: If a vulnerability is discovered and the database vendor hasn’t released a patch, a virtual patching solution should be used. Applying virtual patches will block attempts to exploit vulnerabilities without requiring actual patches or changes to the current configuration of the server. Virtual patching will protect the database from exploit attempts until the patch is deployed. Again, focus on patching high-risk vulnerabilities that can facilitate DoS and SQL injection attack.

  • Monitoring and Blocking

Real-Time Alerting and Blocking: Monitor all database access activity and usage patterns in real time to detect data leakage, unauthorized SQL transactions, and protocol and system attacks. When attempts to access unauthorized data occur, generate alerts or terminate the user session. Use a solution that leverages policies – both pre-defined and custom – that inspect database traffic to identify patterns that correspond to known attacks, such as DoS attacks, and unauthorized activities. Security policies are useful for not only detecting excessive privilege abuse by malicious, compromised, or dormant users, but also for preventing most of the other top ten database threats.

Detect Unusual Access Activity: Establish a comprehensive profile of each database user’s normal activity. These baselines provide the basis for detecting DoS, malware, SQL injection, and anomalous activities. If any user initiates an action that does not fit their profile, log the event, generate an alert or block the user. Creating activity-based user profiles increases the likelihood of detecting inappropriate access to sensitive data.

Impose Connection Controls: Prevent server resource overload by limiting connection rates, query rates, and other variables for each database user.
Validate Database Protocols: Leverage database activity monitoring solutions that can analyze the protocol and isolate random/anomalous communications. When atypical communication events are detected, the solution should trigger an alert or block the transaction.

Response Timing: Database DoS attacks designed to overload server resources lead to delayed database responses. This includes delays in both individual query responses and the overall system. Use solutions that monitor response timing and generate alerts when response delays or system sluggishness is observed.