Script Kiddies or Sophisticated State Actors?05 Mar 2019
When you manage a lot of websites you see a lot of hacking attempts. For some reason February saw more in one month than in the last few years combined. The Australian government and a lot of media were reporting about "Sophisticated State Actors" trying to get into their computers. I saw several of my sites come under sustained attack. Were they some sort of elite foreign hacking squad? Not likely. The media loves a good hacking story (they think hackers have superpowers) and the government has bigger plans that are helped by exaggerating risks like these. It looked to me like what we call a "script kiddie".
What is a "Script Kiddie"? Put simply, it is a person or group who run automated scripts on their computers (or a group of previously hacked computers called a "botnet") that looks for vulnerable websites and then runs a suite of previously-known exploits to test to see if they work. It is generally all automated. Sorry to tell you that Hollywood lied in movies like Swordfish. It really is not that interesting in real life.
The most common attacks are submitting to forms in the hope that they appear on the website, and what is known as SQL injection. Form submissions are usually attempting to spam comment sections with ads. They start by submitting a strange string and then see if it appears on a page. If it does then the attacker knows they can put comments onto your website automatically. SQL Injection is far more dangerous. This attack passes extra information in the URL (the web address you type in your browser) or in form fields in the hope that badly formed SQL execution code will run extra commands on your database. If this works then the attacker can delete or alter data, insert an administrator user, or any number of other of actions that would usually require an administrator login to your server or database.
SQL Injections attacks were what I saw a lot of in February. And by "a lot of" I mean up to 3 and a half thousand attempts per second!! Whoever ran the script made a big mistake in timing, a bit like in Clifford Stoll's book The Cuckoo's Egg.
Here are some examples from two of my sites. After that, I will detail what changes I made to Cloudflare's Web Application Firewall that locked the hackers out. They are still running their scripts, but they are not getting to your web site any more.
Note the spikes in these two graphs:
You will often see spikes when users increase (say if you ran an ad or email campaign) but spikes that happen when users do not increase are suspicious. Here are the user visits for the same two sites as above:
Whenever I see stats like this I know something is going on and I start investigating.
How Cloudflare's Web Application Firewall Is Now Protecting Your Site
Cloudflare's Web Application Firewall has been enabled for all the sites I am hosting, plus:
- Firewall rules have been added to detect common SQL injection URL strings. These strings change a lot so I have built rules based on the attacks I have seen in the logfiles of my sites that were targeted plus other common attacks.
- I have also added a rule that looks for any special table names in URL strings and blocks access. This will help if somebody does get through the first set of rules and tries to access (say) your website members or product sales tables.
- On WordPress sites I have added an extra Cloudflare security step - a capcha to confirm as human - to prevent any possible brute force password guessing.
Note that Cloudflare's Web Application Firewall stops attackers at their edge servers. Hacking attempts that are identified by the Firewall are not reaching your website. It is like having a bouncer at your door keeping undesirables out.
I am also moving all website forms to a third party product that provides even more security (and spam protection).
How Amazon Web Services Makes Your Website Safer
What happens if a hacker does get through? I have set up each website in a way that will make disaster recovery faster and more reliable. The big difference is not having everything on one virtual server.
You will have seen very cheap hosting packages and probably wondered why they are so cheap. The answer is that everything is in one place - the code, database and files are all on one server. That means if a hacker gets in they have EVERYTHING. It also means that restoring your website is very difficult and some parts may never be recoverable.
Here is a quick run-down of how your website is set up and why:
- WordPress sites are currently running on AWS Lightsails and non-WordPress are on Elastic Beanstalks. Snapshots are taken any time a software change is made (code or plugin) and stored with Amazon. This means that IF an attack is successful I can roll it back to a moment in time that was safe. No permanent damage to the website code can be done.
- All databases are stores on Amazon RDS (separate database servers) and not with the website code. This is a lot more costly to host but helps protect against a hacker getting access to your data. It also allows website code to be restored without erasing database changes that were made since a snapshot was made. In a standard hosting environment, with the database on the same server as the code, that database can be downloaded by a hacker and hacked on their own computer. You do not want that.
- Website attachments (images, pdfs, etc) are stored in Amazon S3 buckets with version control turned on. If a file is compromised then I can restore it to a previous safe version.
- FTP and telnet access to all servers is strictly controlled and encrypted.
The internet is not a safe place for a website. It sits out there on its own 24 hours a day 7 days a week talking to anybody who passes by, no matter who they are. Fortunately the tools I use to host your website can make it a lot safer. My years of experience managing infrastructure, combined with my years of experience in software engineering, mean peace of mind for you. It is not cheap, but what would it cost you if your website got hacked, your data got put onto the Dark Web, or somebody encrypted your files and asked for Bitcoins as ransom?