Automated Attacks

Overview

In automated attacks, the attacker uses scripts to request webpages in order to achieve some malicious goal. The speed at which webpages can be requested makes possible attacks which could not be easily or quickly carried out by a human. Through automated attacks, an attacker can bruteforce passwords, scan the site for vulnerabilities, and otherwise exploit the website's functionality. A number of tools exist to assist attackers in carrying out automated attacks.

What makes a site vulnerable?

A site may be subjected to automated attacks if it accepts and processes all requests without adequately determining whether or not the request came from an automated script. The site will be vulnerable to abuse if it offers functionality whose security relies on its only being used a limited number of times. One example of such functionality are login pages which do not attempt to limit the number of failed login attempts. Another is a credit card payment mechanism which costs the website owner a small fee for each failed credit card transaction.

Impact of the attack

The impact of the attack depends on the functionality of the website being attacked. The attacker may be able to use automated attacks to perform denial of service attacks, guess secret values such as passwords, search for 'hidden' files, and use the site to create many disposable accounts (e.g. for use in spamming). Tools for automated vulnerability scanning can also provide a stepping stone for other forms of attack against the website. Another form of automated attack is mirroring. By requesting all pages on a website the attack can create a site which appears identical to yours. This can be used for stealing copyrighted material or as part of a phishing scam. Automated attacks can also involve harvesting information from the website including email addresses for spamming purposes.

Preventing the attack

If automated attacks can be prevented, the likelihood of many types of security holes in the website being exploited decreases. This is due to the fact that vulnerability scanning tools will become ineffective and it will be more time-consuming for the attacker to identify weaknesses in the site. Preventing automated attacks will also limit opportunites for the misuse of functionality offered by the website.

A range of defensive strategies exist which offer varying levels of protection against automated attacks, including:

• Quotas - Requests of certain types are limited based on properties of the requestor. For instance, a limit may be placed on the number of failed logins originating from a particular IP address within a given time period.
• Time delays - Where an operation is at risk from automated attacks, each instance of the operation may result in a time delay which is aimed at slowing down repeated executions of the operation.
• Referrer checks - if a particular page should only be reached from some other page, then it is possible to restrict some attacks on the target page by checking that the request referrer field is set to that other page. If not, it may be an indication of an automated attack. This will work against general automated attack tools, but can easily be defeated by attack tools written to specifically target your site.
• Turing tests - these require the requestor to perform an action which is easy for humans but hard for automated scripts. An example is the use of CAPTCHA images in which the requestor must enter the code shown in an image. These can be effective if done well, but can be inconvenient to users and bots are getting pretty good at reading them.
• Client-side code - client-side code is not executed by many attack tools, and so can be used as a possible defence. The code can be contain redirection information which indicates where to download the page content from. If the attack tools do not execute the code then they will not find the page content. Variations on this include having the client-side code rewrite links with a token authorising the link (without rewriting the links do not access valid content), or having the client-side code perform some computationally expensive operation in order to calculate the token (thus slowing the rate of requests). Note though that some attack tools will execute client-side code. Additionally, some users will have disabled the execution of client-side code and will not be able to access your site if client-side code defences are used.

A good discussion of these (and other) techniques and their advantages and disadvantages can be found in Gunter Ollmann's Stopping Automated Attack Tools paper.

Negative Captchas offer a techique for handling form submissions by automated software. Often such software seeks out forms and submits spam information (e.g. links to viagra sites) in the hope that the information will be displayed on a webpage. With negative captchas additional form fields are created which are then hidden from the user (e.g. via JavaScript or CSS). The user won't fill them out as they won't be seen. But the spam software will, and so submissions for which these fields have been filled out can be ignored.