Recipe 12-5: Identifying a Significant Increase in Resource Usage
This recipe shows you how to identify when the user community accesses specific resources at a high rate.
Ingredients
- ModSecurity
- inicol action
- RESOURCE:UPDATE_RATE variable
- @gt operator
Sample Attack
Cross-Site Request Forgery (CSRF) Worm Attacks against Social Networking Sites
Social networking sites such as Facebook are ripe targets for attackers who want to propagate their spam links throughout the user base. A site such as Facebook is more attractive to spammers because it has a higher click rate of links because of the supposed “trusted source” nature of Facebook wall postings. If a friend posts that you should check out a link, there’s a good chance you will click it. What ends up happening most of the time is that the page you end up on contains CSRF code that issues a request back to Facebook to spread the spam link. It uses the victim user’s current session credentials to authorize the post and thus spread the link. These types of attacks are viral in their propagation and thus cause severe spikes in certain application function usage. By monitoring these types of application usage patterns, you can identify CSRF worms more quickly.
Identifying Resource Usage Spikes
We can leverage ModSecurity’s RESOURCE persistent storage capabilities to track access attempts to specific resources. Here is a sample initialization rule taken from the modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
