Yesterday we mentioned that the Polish government experienced numerous DDoS attacks.  Today, it is Brazil's turn.

This pastebin site shows that several Brazilian government sites were brought down:  

http://pastebin.com/sSi54WFf 

Here's an image of a downed Brazilian government site:

http://img855.imageshack.us/img855/5739/brasiloff.png

All in all, many websites were taken down. The fact that most of them are up again indicates that this was not the most sophisticated attack. However, the speed and power of the DDoS attacks is something to worry about.  

Looking at the LOIC downloads in Brazil, they were high but not compared to the US, Poland or France. It seems these attacks were propogated mostly through websites which enabled DDoS attacks.

Interesting interview on Anonymous' site explaining "Spirit of LulzX­mas," a hacking campaign that claims to have "spent over $76,000 of the banks lovely money."  (For more on who actually funds these campaigns, read here.)  No way to corroborate if any of this is true, but it is interesting to see how hacktivism continue to evolve.

Some highlights:

• The objective:  "aim­ing for a mil­lion by xmas"
• The process: 
  • "we hack mas­sive hosts to get the VPS’s [virtual private server] and domains etc then we hit banks accounts ter­mi­nals to lit­er­ally steal from the rich and put in vir­tual e-credit cards"
  • They also use SQL injection.  In one case, they stole clothes online:  "the web­site was SQLi vuln so we hacked it"
• The impact:  they claim to have stockpiled "25 x $50K" in virtual credit cards.  They're using this to buy
  • Apple products: "iPods, iPads, iphones etc iPad is more asked 4"
  • Pizzas for the occupy movements.

One question the interviewer failed to ask:  "How do you feel about raising credit card and banking fees for the 99% as a result of your hacking campaign?"

Nearly two years ago, Imperva's ADC published a detailed analysis of 32 million breached passwords in our report Consumer Password Worst Practices.  Today, Tsvika Klein from Imperva's ADC published a "sequel", Enterprise Password Worst Practices.  The report is available here (no registration required).  

Our first report was aimed at consumers.  This second is aimed at the IT geeks who manage the technical infrastructure to safeguard passwords.

Our contention:  Instead of consumers, we believe responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline. Passwords should be viewed by security teams as highly valuable data.  We hope this paper guides enterprises to rectify poor password management practices.

The reports details:

• How hackers bypass security controls to protect passwords.
• Popular, key online resources hackers employ, including one website containing 50 billion possible password permutations.
• Key steps that Imperva recommends IT teams within enterprises undertake in order to mitigate password breaches

Our other trends are here:

Nine
Eight
Seven
Six
Five
Four
Three
Two
One

On December 14th, Imperva's CTO Amichai Shulman will be hosting a webinar, talking you through the ADC's predictions.  To register, click here.

In 2012 we expect to see security decisions driven not by compliance but for the simple reason of… security.

It sounds simple enough, but in previous years we have seen the influx of laws and regulations which drove the budget and security solutions. PCI, SOx and world-wide Data Privacy Acts were all used as the reasons to feed the security budget.  But this approach often backfired.  Anecdotally, when one CIO was asked about the key lesson from a major breach his firm experienced answered, “Security is not about surviving the audit.”

Smart companies used these regulations as springboards to enforce the case of security. In fact, both a 2011 Ponemon survey and the 2010 Verizon Data Breach Report showed that PCI did improve the organization’s security stance. However, regulatory compliance is not equivalent and does not confer security. It is enough to turn to Heartland Payment Systems for such an example. The company passed its PCI evaluation, and yet, they had suffered one of the biggest breaches in history.

This past year we have seen a shift in the corporate attitude for several reasons:

1. Breaches are costly. Security breaches such as those suffered by Epsilon, RSA and Sony dominated front page news. The high profile breaches highlighted the impact of security. Brand damage, loss in brand, legal costs, notification costs, service outages and loss in shareholder value all became news of the day. In fact, the day after Sony’s breach announcement, the stock price dropped steeply. DigiNotar, a CA company was breached in September (see SSL trend) went underbelly later that month. While actual assessments of the cost of these past year breaches have not yet been made public, we can return to the Heartland Payment Systems breach for a lesson. For nearly two years financial analysts watched as large legal payments for damages were settled before the market could feel comfortable about Heartland’s ability to stabilize revenues.
2. Companies with an online presence, regardless of size, are targeted. Not only were large corporations affected by breaches in the past year. Hackers have become very adept at automating attacks. According to the 2011 Verizon Data Breach Investigation Repot, hackers have “created economies of scale by refining standardized, automated, and highly repeatable attacks directed at smaller, vulnerable, and largely homogenous targets”. In other words, in a world of automated attacks, everyone is – or will be – a target. This point was exemplified in August 2011 when USA Today published that 8 million websites were infected by malware.  Our own research highlights how applications are likely to be probed once every two minutes and attacked seven times a second.
3. Hacktivism brings (in)security to the frontlines. Hacking groups such as Anonymous and Lulzsec have received headlines when they repeatedly hacked into different corporations, large and small. Visa, Paypal, Sony Pictures, Fox.com, PBS.org as well as countries such as Tunisia, and government agencies such as Infragard all felt the hackitivist wrath whose attacks targeted applications and infrastructure.
4. APT becomes an actual threat. Advanced Persistent Threats (APT) attacks are sophisticated attacks which relentlessly target corporations and governments for espionage and destruction. However, with good branding from worldwide Marketing and PR teams, this term has become the alternative description to a compromise following a corporate-phishing attack.   The fear of such an attack is boosting the security budget. A recent survey by ESG indicated that due to APT concerns, 32% of respondents are increasing security spending by 6-10%.
5. Intellectual property requires protection. Organizations are beginning to understand the risk and consequences of a compromise of their bread and butter. The biggest risk of exposure of intellectual property is actually caused unintentionally. For example, through an employee leaving the company with corporate info obtained rightfully over time. Or, through a mis-configured server holding confidential documents (see trends on the externalization of collaboration platforms). Organizations also face the risk the deliberate theft of data from vengeful or malicious employees. For instance, this past year a former Goldman Sachs employee received an eight year sentence for stealing proprietary software code. Compromise of intellectual property may even be performed by the hands of external hackers. In the past we saw how hackers were solely focused on credit card numbers, login credentials and other such generic commodities. Although this type of data is still on the attacker’s radar, we are starting to see hackers focusing also on intellectual property. As a point in case, consider the RSA attack which involved the data relating to the SecureID tokens.
6. Shareholders are now involved. The SEC has recognized the impact of a security breach to a company. As a result, recent updated SEC regulations require reporting information security breaches to shareholders. If in the past breaches could have been swept under the carpet, this regulation will make it harder to do so.

For these reasons, we will increasingly see how companies will perform wise security decisions based on actual security reasoning. Furthermore, the abundance of regulations – which ultimately try to set a minimal bar of security – will make it too costly for organizations to handle on a regulation-by-regulation basis. Instead, enterprises will implement security and then assess whether they have done enough in the context of each regulation.

This month, the science journal Nature published a story on the biggest black hole ever discovered by UC Berkeley researchers.  

What is the biggest black hole in cyber space? Imperva's malware dissection team took a careful look at the Black Hole Exploit kit anatomy.  In addition to Tomer, Sarit has now joined the team to add a feminine touch to the dissection process.

What’s New?
The new black hole exploit kit has been out and we’ve had a chance to deconstruct it.  Before we get super geeky, some general observations about the innovation in this kit:

• Malware developers continue to use the latest tools to encrypt their malware to evade anti-virus (AV) software.  As usual, the encryption signature is new, avoiding AV—our analysis showed that 70 percent of AV software would miss this altogether.  This serves as a not-so-gentle reminder the fundamental problem with signature based AV—it changes every week with the use of a new encryption algorithm.  
• Hackers are deploying resiliency.  In the past, we’ve seen hackers deploy a single exploit server.  In this case, there were four that could be redirected if any of the URLs was taken down.

What are BEPs?
An exploit kit, a browser exploit pack (BEP) is a toolkit that automates the exploitation of client side vulnerabilities. 

The toolkit is a bundle of PHP and HTML files with a list of exploit files (including JAVA, PDF, Browsers, Adobe Flash Player …etc) designed to target the operating system, browser or other client side application.  Toolkits are usually heavily obfuscated using some known or unknown obfuscation and crypto algorithms tools to avoid detection by anti-virus vendors.  

Black hole is yet another web exploit kit developed by Russian hackers. Blackhole is a very powerful kit with a number of recent exploits including Java and Adobe PDF exploits. One blog published (with updates) a great overview of the most known exploit packs. 

According the Hacker News, the black market cost of the pack:

Users can purchase the annual license for $1500, semi-annual license for $1000, or just a quarterly license for $700. The license includes free software updates for the duration of the contract. For those malicious users with a commitment phobia the makers of the kit offer yet another solution. You can rent the kit (on the author’s servers) for $50 for 24 hours, $200 for 1 week, $300 for 2 weeks, $400 for 3 week, and $500 for 4 weeks. A domain name comes included with the rental agreement, but should you desire to change it you need to pay another $35. But Now its FREE HERE!

NOTE:  For any pictures, click on them to BIGGIFY.

Summary:  The Infection Flow

Here’s a breakdown of the infection flow:

The Infection Process

A live exploit pack only requires a victim “drive-by” – a trivial site visit – to start the infection process.

The click
The most common method used by BlackHole to spread is via links inside phishing emails.  We were no exception:

Once clicked, we get the infamous “WAIT PLEASE LOADING……” page.

We can immediately see the 4 JS.JS java scripts sources.  Each JS.JS contains a redirection to a black hole exploit kit server.

The redirection
We can see that the redirection is achieved by the JS document.location property:

The infection
Then, the exploit kit will check for vulnerable applications and will select the best exploit.

Deploying the payloads 
The BEP searches for several vulnerabilities to propagate itself.  By deobfuscating the above JS we can notice the following java scripts and functions that reveal the targets.  We can see that the code is going to extract the versions of the following installed applications:

• Java
• PDF
• Flash 

Here, the kit checks for the installed OS:

Here, the kit checks for a PDF exploitation (CVE-2008-2992/CVE-2009-0927):

Here, the kit checks for a flash exploitation (CVE-2011-0611):

Here, the kit gets a shellcode function:

Here, the kit checks for a HCP exploitation (CVE-2010-1885):

The Java JAR Payload 

The exploit kit sends a heavily obfuscated JS code with a Java applet code that downloads a malicious JAR file to the infected system.

After uncompressing the jar file, 5 java class files are extracted:

I used JD decompiler to decompile the class files. Zoom.class attempts to exploit “CVE 2010-0840”:

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

•  
  • Once the vulnerability is successfully exploited the payload tries to download and save on the infected system another malicious binary (analysis later). Saves it with a random name <randomName>.exe
  • Silently registers the downloaded binary as calling regsrv32.exe –s <binary.exe>

As noted above, the anti-virus payload detection is low, with 13  of 43 vendors catching it, a 30.2% success rate.

Successful Exploitation – The Malware

On every successful exploitation the running shellcode downloads and executes a malicious binary (a download / execute type of shellcode).  We got infected twice.

ZeuS v.2

Sample MD5: 53507987ca9d772c7377a6066259aa7e

Anubis Report: http://goo.gl/LCiCg

Ceeinject / Scar / Kazy

Sample MD5: ba7017bb86b8d37a37479d6460e992f0

Anubis Report: http://goo.gl/NUylt

Be safe.

Our other trends are here:

Nine
Eight
Seven
Six
Five
Four
Three
Two
One

On December 14th, Imperva's CTO Amichai Shulman will be hosting a webinar, talking you through the ADC's predictions.  To register, click here.

Trend #2:  The Rise of the Middle Man

In 2010, we predicted the industrialization of hacking.  What is the impact of industrialization to hacker’s business models?  In 2012, with the increased supply and demand for compromised machines, as well as for sensitive corporate info, we predict the rise to a new cyber crime job role: the broker. This individual is responsible to match the buyers of stolen data, or compromised machines (aka “bots”), with the sellers of the data (or bot renters).  In the same way stocks and investors gave rise to stock markets, hackers need a middle man.

The success of bot herding opened up a large market where lots of hackers have many corporate machines under their control, each potentially holding a vast amount of data. However, waiting for individuals to approach and buy this type of data from them is simply too much of a slow and ineffective approach – causing the hackers to be a victim of their own success.  Instead, we are seeing that this situation actually opens up the wholesale opportunity for a middleman to bridge this gap.

Our other trends are here:

Nine
Eight
Seven
Six
Five
Four
Three
Two
One

On December 14th, Imperva's CTO Amichai Shulman will be hosting a webinar, talking you through the ADC's predictions.  To register, click here.

As many more organizations are making their way into the social media space, we expect to see a growing impact to the integrity and confidentiality of the enterprise’s information. Moreover, hackers will continue to automate social media attacks, further exacerbating the situation. The heart of the problem resides in three separate issues inherent to social networks:

1. Sharing - The most important thing to understand about social networks and the tools built on top of them is that they are designed for sharing information--not restricting access to it. Enterprises that try to use social media as collaboration suites for internal, sensitive business data- which require different levels of access privileges- are bound to encounter massive data breaches. The reason is not due to flawed access controls and privacy mechanisms. Rather, the restriction of information through these channels is in complete contrast to the concept of such environments which is, in fact, all about sharing. Consequently, organizations should keep an operational copy of all their data in a business system that can provide decent access controls. Data that can be made public can be exported out of this system and posted to the social network. This way, restricted information is kept inside business systems (regardless of whether they are on premise or in the cloud), while public information can be retrieved to publication on the social platform.
2. Control – Organizations need to understand that there is nearly an absolute lack of control over interactions with members of the social platform. In the real world we attempt to control the types of social interactions we experience by carefully choosing our social circles as well as the places we hang out. This is not possible in the cyber world. Comment spam, defamation, false claims and bad language are the norm.  
   Keeping your social cyber environment clean of these is a difficult task.  Further, cyber cleansing claims resources in a manner proportional to the popularity of the enterprise. Measures range from sifting and sanitizing comments to engaging closely with the social networks in case of defamation. Enterprises who fail to invest these resources will quickly find that true followers are fleeing the scene. In the meanwhile, the brand name erodes – defeating the purpose of entering the social network scene.
3. Lack of Trust and Proper Identification - There is no real way for enterprises to avoid copy-cats.  In today’s social platforms, there is no solid way to tell apart the real owner of a brand from impostors and copy-cats who are trying to take advantage of the popularity of a specific brand, to abuse it or to erode it. The identity of message posters cannot be verified in any way and there are no real tools to evaluate the trustworthiness of messages and their content.

The consequences could be general brand erosion or attack campaigns targeted towards enterprise's social circle. Mix these three concepts with the growing use of automation and you get social network mayhem.  In the past couple of years we have witnessed the impact of the power of automation when applied to social networks:

• In February 2011, the Lovely-Faces.com website showcased hundreds of thousands of scraped Facebook user profiles.
• In September 2011, another group demonstrated an application that automates the process of “friending”. Based on this process, the application creates a collection of all personal information, including photos, from those who accepted the friendship request.
• Recently a group of researchers demonstrated the power of “social botnets”. These are fake profiles. However, these accounts can automatically grow a network of friends of actual real accounts. The research proved that the flawed “friend of a friend” trust model enabled this type of botnet proliferation. Further, their research found that individuals were three times more receptive to accepting a friendship request if the requester already shared a mutual friend with them.
• Software automating account generation and various data mining research projects exist.
• This Fall, DHS started setting up policies to monitor Facebook and Twitter. Automating this process will be at heart of this project in order to sift through the incredibly high volume of traffic.

Unfortunately, we do not see any market solutions ready to handle the above issues. Facebook as well as other social media platform providers are currently keeping full control and are attempting to fight some of the issues (mainly automation and fake accounts) from within. One such initiative is Facebook’s Immune project. This has proven to be mostly futile so far (for instance, there’s a clear conflict of interests between Facebook’s attempt to remove fake accounts and its attempt to show constant unbelievable growth). Rather, the solutions must be incorporated into existing platforms by enterprises themselves.

These solutions will have to rely on third parties that offer trust and data control services over the social media platform. Currently, we are not aware of any such existing solutions, leaving a void space ripe for research.

Our other trends are here:

Nine
Eight
Seven
Six
Five
Four
Three
Two
One

On December 14th, Imperva's CTO Amichai Shulman will be hosting a webinar, talking you through the ADC's predictions.  To register, click here.

The IT world is quickly embracing Big Data.  Huge data stores are the next big step in analyzing the massive amounts of data that is being collected in order to identify trends. For example, new start ups use these systems to analyze trillions of DNA strips to gain an understanding of our genealogy. To well-established companies who are adopting the technology to map and time transportation systems across the world to make our traveling easier and cheaper. While Big Data is becoming a buzzword in information systems, there has not been much investigation into the security implications. Many predict that in 2012 we’ll see a growing interest in Big Data and it’s underlying technology, NoSQL. We predict that the inadequate security mechanisms of these systems will inhibit enterprises from fully integrating these systems as third party components within the corporation.

NoSQL is a common term to describe data stores that store all types of data – from structured to unstructured. Due to this diversity, these data stores are not accessed through the standard SQL language. Up until recently, we categorized our conception of data stores in two groups: relational databases (RDBMS) and file servers. The new kid in town, NoSQL, opened our minds to a database that, unlike the conventional relational concepts, does not follow a structural form. The advantage? Scalability and availability.  With a technology where each data store is mirrored across different locations in order to guarantee constant up-time and no loss of data, these systems are commonly used to analyze trends. These systems are not suitable for financial transactions requiring a real-time update, but could be employed at a financial institution to analyze the most efficient or busiest branch.

However, as applications using NoSQL are being rolled out, little time has been taken to think or re-think security. Ironically, security in database and file servers have seen their share of problems over the years. And these are systems that have gained mileage over the years which allowed this type of security inspection. We cannot say the same about NoSQL.

Many may claim that the developers of different NoSQL systems have purposefully pushed out security aspects from their systems. For instance, Cassandra has only basic built-in authentication procedures. This lack of security is considered their feature and built in mind that database administrators do not need to trouble themselves with security aspects. Security, then, should be an offloaded process to be dealt with by a dedicated team.

We believe the NoSQL systems will suffer from a number of issues:

• Lack of expertise. Currently, there are hardly enough experts who understand the security aspects of NoSQL technologies. When building a NoSQL system, there is no obvious security model that fits. The lack of such a model makes the implementation of security a non-trivial process and requires extensive design. As a result, security features that need to be considered get pushed out over and over again.
• Buggy applications. Until third party solutions roll out to provide the necessary security solutions, it is the NoSQL applications that will carry the security load.  Issues include:
  • Adding authentication and authorization processes to the application. This requires more security considerations which make the application much more complex. For example, the application would need to define users and roles. Based on this type of data, the application can decide whether to grant the user access to the system.
  • Input validation. Once again we are seeing issues that have haunted RDBMS applications come back and haunt NoSQL databases. For example, in Blackhat 2011, researchers showed how a hacker can use a “NoSQL Injection” to access restricted information. For example, “The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws” contains a new separate chapter focused solely on the security of programming frameworks used for NoSQL.
  • Application awareness. In the case where each application needs to manage the security, it will have to be aware of every other application. This is required in order to disable access to any non-application data.
  • When new data types are added to the data store, the data store administrator would have to figure out and ensure what application cannot access that specific data.
  • Vulnerability-prone code. There are a certain amount of NoSQL products, but a magnitude more of applications and application server products. The more applications, the more code in general prone to bugs.
• Data Duplicity. In NoSQL systems, data is not strictly saved in particular tables. Instead, the data is duplicated to many tables in order to optimize query processing. As a result, it is not possible to classify credit cards according to a particular sensitive table. On the contrary, this type of data can be found in different places: transaction logs, personal details, specific tables which represents all credit cards, and other locations which may have not even been considered.
• Privacy.  Although our focus is on security, privacy concerns cannot be ignored. Take for example a healthcare platform where providers get together and share patient data. A patient might access the system for genetic information, and later access it in respect to drug info. An application which analyzes this data can correlate the information to find purchasing trends relating to genetics and health. The problem is that this type of correlation was not considered when the data was initially inserted. As a result, the data was never anonymized allowing anyone to identify specific individuals from the bigger picture.

NoSQL is still in its infancy. It will take awhile until we will see these systems fully deployed at the majority of enterprises. For this precise reason it is so important to invest in the in the security of these systems. 

Our other trends are here:

Nine
Eight
Seven
Six
Five
Four
Three
Two
One

On December 14th, Imperva's CTO Amichai Shulman will be hosting a webinar, talking you through the ADC's predictions.  To register, click here.

We expect to see a growing number of data breaches from internal collaboration platforms used externally. The issue?  Internal collaboration suites are being deployed in “evil twin” mode, i.e., these suites get used externally. As a result, organization will look for tools to protect and control access to such platforms. We estimate that in 2012 the number of Internet sites based on such platforms will drastically increase.  As a consequence, the number of security incidents due to inadvertent public exposure of confidential data will grow.

The past couple of years brought up an extensive increase in the use of collaboration suites within organizations. Platforms such as Microsoft SharePoint and Jive are now used by many organizations to share information and manage content. While most enterprises use these applications within the organization, some have also extended the use to partners and even to the public through an internet facing website. In fact, based on Forrester research, SharePoint is listed as the number one portal product (source: http://www.topsharepoint.com/about) and with the latest release of SharePoint 2010, it also offers a great platform for building collaboration sites with external partners or robust externally-facing sites. Extending an internal platform to external use always comes with a price tag to be paid in security. An example of such security breach took place when the Mississippi national guard accidentally exposed personal information of nearly 3000 soldiers on their external Microsoft SharePoint website.

There are two major factors that impact the risk of extending an internal platform to external use:

1. Data segregation. Data segregation has two manifestations with respect to externalizing internal systems. Since there’s already sensitive data stored in the system. Ensuring that the data does not become accessible through the less restricted interfaces of the platform is not an easy task. Then, for the entire lifetime of the systems, controls should be put in place to allow collaboration and sharing of sensitive information within the organization while keeping it of the reach of the general public.  
2. Threat profile. Threat profile is related to the difference between internal and external threats. The size of potential attacker population increases instantaneously as well as the technical and hacker skills of it. At the same time, the impact of a disclosure or a breach increases dramatically over that of an internal breach. To make things even worse, search engines like Google constantly crawl and update their indexing policies so that the public interface of the application, as well as any breaches or mis-configured entry points are quickly apparent to the whole world. For example, an updated Google policy to index also FTP servers resulted in a breach affecting 43,000 Yale-affiliated individuals.  Google hacking tools, such as SharePoint GoogleDiggity and   SharePointURLBrute, can easily be used to identify insecure configurations.

Organizations aiming at reducing the risk of massive exposures should start budgeting and planning for the next generation of collaboration suite monitoring and governance tools. Some of the characteristics to look for are:

• Policies to monitor and protect internet and intranet facing sites.
• Flexible deployment that doesn’t impact the use of application or the network architecture.
• The ability to identify excessive user rights to content.

Our other trends are here:

Nine
Eight
Seven
Six
Five
Four
Three
Two
One

On December 14th, Imperva's CTO Amichai Shulman will be hosting a webinar, talking you through the ADC's predictions.  To register, click here.

Distributed Denial of Service (DDoS) attacks are gaining popularity and were part of high profile hacking campaigns in 2011, such as the Anonymous attacks. We predict that in 2012 attackers will increase the sophistication and effectiveness of DDoS attacks by shifting from network level attacks to application level attacks, and even business logic level attacks.

A Denial of Service (DoS) is a relatively old attack aimed at data availability by exhausting the server's computing and network resources. Consequently, legitimate users are denied service. A Distributed Denial of Service (DDoS) is an amplified variation of the DoS attack, where the attacker initiates the assault from multiple machines to mount a more powerful and coordinated attack. 

Today, DoS attacks require the attacker to invest in a massively distributed network which can create enough traffic to eventually overwhelm the victim’s resources. At the other end of the DoS spectrum, there's the SQL shutdown command. An attacker exploiting an application vulnerability can use this particular command to shut down the service using just a single request, initiated from a single source, which, from the attacker’s perspective, proves cheaper and is just as effective. Historically, we have seen DoS attacks gradually climb up the protocol stack. From the most basic Network layer (layer 3) attacks, such as the UDP Flood, through the Transport layer (layer 4) with SYN flood attacks. In the last years, we also saw the HTTP layer (layer 7) being targeted with such attacks as the Slowloris in 2009and RUDY attack in 2010.

We predict that in 2012 we will see hackers advance one more rung. This means creating DDoS attacks by exploiting web application vulnerabilities, or even through web application business logic attacks (Such an attack can be performed by profiling the victim web application for resource consuming operations, such as searching a large database, and then constantly applying that operation to deplete the victim server resources). Indications for this trend are already emerging. For example, the #RefRef tool, introduced in September 2011, exploits SQL injection vulnerabilities used to perform DoS attacks.

There are several reasons attackers are moving up the stack:

1. Decreasing costs. In the past, attackers have taken the "brawn over brains" attitude. This meant that they simply inundated the application with garbage-like requests. However, these type of attacks require a large investment on the attacker’s side, which include distributing the attack between multiples sources. In time, hackers have discovered that they can add "brains" to their attack techniques, significantly lowering the heavy costs associated with the "brawn" requirements.
2. The DoS security gap. Traditionally, the defense against (D)DoS was based on dedicated devices operating at lower layers (TCP/IP). These devices are incapable of detecting higher layers attacks due to their inherent shortcomings: they don't decrypt SSL, they do not understand the HTTP protocol, and generally are not aware of the web application. Consequently, the attacker can evade detection in these devices by moving up the protocol stack.
3. The ubiquitous DDoS attack tool. Working over the HTTP layer allows the attacker to write code independent of the operating system. For example, by using javascript. The attacker then gains the advantage of having every web enabled device participate in the attack, regardless of its operating system – be it Windows, Mac or Linux. More so, it allows mobile devices- running iOS, Android, or any other mobile operating system- to participate in such attacks.

The good news is that enterprises can prepare themselves against these application-targeted DoS attacks. How? By adding application-aware security devices, such as Web Application Firewalls (WAFs). These devices can decrypt SSL, understand HTTP and also understand the application business logic. They can then analyze the traffic and sift out the DoS traffic so that eventually, the business receives – and serves- only legitimate traffic.