ColdFusion Muse

SQLi Attack on the Rise (Film at 11:00)

Unless you have had your head in the sand (those of you on your honeymoon are excused) you know that the ColdFusion world has been awash in SQL Injection attacks over the last month. Anecdotally I am seeing a significant increase in attacks this week - about 15 times what they were a few days ago. Michael Dinowitz reports that house of fusion was receiving 4000 attacks in 5 minutes (that's nearly 50 thousand an hour). Brad Wood reports no less 90 request per second. The suspicion is that the attack is driven by searching Google for sites with ".cfm" pages. That means the more successful that you are at search engine optimization the more likely you are to be targeted. Conversely if you don't have a good number of pages ranked then you are probably then you will see fewer attacks.

It seems these attacks are orchestrated using infected computers throughout the internet. Some effort is underway to collect IP addresses to see if a pattern emerges. I suspect that approach will not yield fruit, but I still applaud the effort. We (CF Webtools) are continuing to assist customers in any way we can - everything from wholesale changes to sites, to blacklist techniques to friendly advice over the phone. As these attacks accelerate they become more like Denial of Service attacks than anything else. Even if you are binding all your variables and you have great controls you will still have to deal with a bombardment of thousands of requests against your CF pages. I recommend that you use one of the many blacklist techniques out there - at least temporarily. Some folks have started out sending emails alerts when these attacks are underway but quickly discovered that the volume of email can be pretty hefty. I recommend just killing the request - abort it at the top of your application prior to the application being instantiated. Then at least you have kept it from filling up your error log. Meanwhile this round of attacks has had the positive affect of causing folks to suddenly pay attention to a great deal of vulnerable code. Here's another silver lining you may not have considered...

The Silver Lining

ColdFusion evangelist and luminary Ben Forta did manage to find a silver lining. In a recent CF-Talk post he said (and I quote):

" On the plus side, it's nice to see CF finally getting the recognition it deserves, even if it is from parasitic bottom-feeding bots created by despicable scum-sucking feeble-excuse-for-a-carbon-based-life-form repugnant socially-inept basement-dwelling death-penalty-deserving hacker-wannabes."
I'm pretty sure that Ben speaks for all of us.

If you are just hitting this issue click through the related posts below or just read nearly all the ColdFusion Muse posts since July 18th. There are mitigation techniques and links to tools that can help. In particular check out the post that provides a thorough explanation of the attack. Make sure and read the comments as well for a good list of tips.

Comments
Ryan Stille's Gravatar As these attacks get worse and worse, I would suggest adding rules to Apache or IIS to stop these requests before they even get to ColdFusion. The web server process can generally handle a lot more traffic than the ColdFusion process.
# Posted By Ryan Stille | 8/8/08 11:37 AM
Gary Fenton's Gravatar Why does the CF community think it's just CF sites that are being attacked? It's affecting every technology, .net, php, etc. CF is no more susceptible to these attacks than any other type of server technology and loads of non-CF blogs and forums have been boiling with activity over these attacks for the past two weeks.

The attackers don't give two hoots what the web server is using. Check this article out and also the Google searches it links to. http://www.theregister.co.uk/2008/08/07/new_sql_at...
# Posted By Gary Fenton | 8/8/08 1:02 PM
Mark Kruger's Gravatar @Gary,

Of course attackers don't care. This started with ASP sites and is "crawling it's way" across the net. But it only recently started showing up on CF sites (as of July 15 or 16) prior to that it was largely and ASP problem.

Perhaps it just "spilled over" to CF as the attacks accelerated. In any case, thanks for your comments and the link. And don't be too hard on the CF community - we are a tight nit bunch :)

mark
# Posted By Mark Kruger | 8/8/08 1:09 PM
Matt's Gravatar Ryan,

Do you have any resources or guides on how you would lock down IIS? We thought the same thing this morning, but didn't want to make any changes until we had some direction.
# Posted By Matt | 8/8/08 1:53 PM
Ryan Stille's Gravatar Ha, Matt I tried to post some rewrite rules but I am getting an error that I must be trying to hack the site! I will send them directly to Mark and ask him to post them.
# Posted By Ryan Stille | 8/8/08 1:58 PM
Mark Kruger's Gravatar @Ryan,

I put up a new post just now with your rules in it. FYI - I have permissioned you to be able to post.

-Mark
# Posted By Mark Kruger | 8/8/08 2:56 PM
sb's Gravatar How do I need to tweak this to get it to work with mod rewrite?
# Posted By sb | 8/11/08 2:49 PM
Ryan Stille's Gravatar This should give you a start for mod_rewrite. This only operates on the URL scope of course, as does the IIS rewrite options. For apache, something like mod_security could also look at the Form, cookie, etc. data. .

RewriteCond %{QUERY_STRING} .*DECLARE.*
RewriteRule ^(.*)$ violation.htm [nc,L]
# Posted By Ryan Stille | 8/11/08 3:00 PM



Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.