Let me first take my hat off to @neil-mcguigan who came up with the best comment of the year: "A sql injection attack is valid sql. That's why it works"
While keeping that axiom in mind, I think it's possible to rely on some heuristics to identify and block malicious behavior in general. For example, you will often see multiple unsuccessful attempts during an attack. The attacker's behavior and various attributes (such as source geo-IP, access time, user-agent or browser thumbprint, etc.) will likely be different from the average regular user. Many network security appliances in the market actually use these and combine them with other threat feeds for detection.
However, as soon as you grow to more than a single server to protect, it becomes extremely hard to persist and leverage this information. In a web farm, with load balancers and multiple reverse proxies, getting access to logs from every device, in real-time, and running heuristics against every unknown call is a bigger challenge than coming up with the heuristics themselves.
No comments:
Post a Comment