You are using an outdated browser. For a faster, safer browsing experience, upgrade for free today.
AWS Certified Cloud Practitioner AWS Certified Solutions Architect
Menu
Blog

Script Kiddies or Sophisticated State Actors?

05 Mar 2019

When you manage a lot of websites you see a lot of hacking attempts. For some reason February saw more in one month than in the last few years combined. The Australian government and a lot of media were reporting about "Sophisticated State Actors" trying to get into their computers. I saw several of my sites come under sustained attack. Were they some sort of elite foreign hacking squad? Not likely. The media loves a good hacking story (they think hackers have superpowers) and the government has bigger plans that are helped by exaggerating risks like these. It looked to me like what we call a "script kiddie".

What is a "Script Kiddie"? Put simply, it is a person or group who run automated scripts on their computers (or a group of previously hacked computers called a "botnet") that looks for vulnerable websites and then runs a suite of previously-known exploits to test to see if they work. It is generally all automated. Sorry to tell you that Hollywood lied in movies like Swordfish. It really is not that interesting in real life.

The most common attacks are submitting to forms in the hope that they appear on the website, and what is known as SQL injection. Form submissions are usually attempting to spam comment sections with ads. They start by submitting a strange string and then see if it appears on a page. If it does then the attacker knows they can put comments onto your website automatically. SQL Injection is far more dangerous. This attack passes extra information in the URL (the web address you type in your browser) or in form fields in the hope that badly formed SQL execution code will run extra commands on your database. If this works then the attacker can delete or alter data, insert an administrator user, or any number of other of actions that would usually require an administrator login to your server or database.

SQL Injections attacks were what I saw a lot of in February. And by "a lot of" I mean up to 3 and a half thousand attempts per second!! Whoever ran the script made a big mistake in timing, a bit like in Clifford Stoll's book The Cuckoo's Egg.

Here are some examples from two of my sites. After that, I will detail what changes I made to Cloudflare's Web Application Firewall that locked the hackers out. They are still running their scripts, but they are not getting to your web site any more.

Note the spikes in these two graphs:

You will often see spikes when users increase (say if you ran an ad or email campaign) but spikes that happen when users do not increase are suspicious. Here are the user visits for the same two sites as above:

Whenever I see stats like this I know something is going on and I start investigating.

How Cloudflare's Web Application Firewall Is Now Protecting Your Site

Cloudflare's Web Application Firewall has been enabled for all the sites I am hosting, plus:

  • Firewall rules have been added to detect common SQL injection URL strings. These strings change a lot so I have built rules based on the attacks I have seen in the logfiles of my sites that were targeted plus other common attacks.
  • I have also added a rule that looks for any special table names in URL strings and blocks access. This will help if somebody does get through the first set of rules and tries to access (say) your website members or product sales tables.
  • On WordPress sites I have added an extra Cloudflare security step - a capcha to confirm as human - to prevent any possible brute force password guessing.

Note that Cloudflare's Web Application Firewall stops attackers at their edge servers. Hacking attempts that are identified by the Firewall are not reaching your website. It is like having a bouncer at your door keeping undesirables out.

I am also moving all website forms to a third party product that provides even more security (and spam protection).

How Amazon Web Services Makes Your Website Safer

What happens if a hacker does get through? I have set up each website in a way that will make disaster recovery faster and more reliable. The big difference is not having everything on one virtual server.

You will have seen very cheap hosting packages and probably wondered why they are so cheap. The answer is that everything is in one place - the code, database and files are all on one server. That means if a hacker gets in they have EVERYTHING. It also means that restoring your website is very difficult and some parts may never be recoverable.

Here is a quick run-down of how your website is set up and why:

  • WordPress sites are currently running on AWS Lightsails and non-WordPress are on Elastic Beanstalks. Snapshots are taken any time a software change is made (code or plugin) and stored with Amazon. This means that IF an attack is successful I can roll it back to a moment in time that was safe. No permanent damage to the website code can be done.
  • All databases are stores on Amazon RDS (separate database servers) and not with the website code. This is a lot more costly to host but helps protect against a hacker getting access to your data. It also allows website code to be restored without erasing database changes that were made since a snapshot was made. In a standard hosting environment, with the database on the same server as the code, that database can be downloaded by a hacker and hacked on their own computer. You do not want that.
  • Website attachments (images, pdfs, etc) are stored in Amazon S3 buckets with version control turned on. If a file is compromised then I can restore it to a previous safe version.
  • FTP and telnet access to all servers is strictly controlled and encrypted.

The internet is not a safe place for a website. It sits out there on its own 24 hours a day 7 days a week talking to anybody who passes by, no matter who they are. Fortunately the tools I use to host your website can make it a lot safer. My years of experience managing infrastructure, combined with my years of experience in software engineering, mean peace of mind for you. It is not cheap, but what would it cost you if your website got hacked, your data got put onto the Dark Web, or somebody encrypted your files and asked for Bitcoins as ransom?


Return to Blogs index



AWS Cloud Certified

AWS Cloud Certified

I am now an Amazon Web Services (AWS) Certified Cloud Practitioner AND an AWS Certified Solutions Architect. This certification demonstrates that I that know all the AWS core services, know how to set up security and encryption in AWS services, understand networking of AWS instances, and can optimise cloud pricing for myself or others.
SEO And Google AdWords Are Now Part Of The Team

SEO And Google AdWords Are Now Part Of The Team

To kick off 2020 with a bang, I am proud to announce that I have now added SEO and Google AdWords services to my team. That means top quality Google advertising, lead generation, search engine optimisation, remarketing, social media advertising are now available to add to your website.
This Is The Best WordPress and Website Hosting

This Is The Best WordPress and Website Hosting

I set up an amazing hosting platform to run my business on. Everything I do uses Amazon Web Services. Here I will describe how my AWS website hosting works. This is not the full picture, though - there are a lot of other tools that I use to deliver websites that are FAST, reliable and a pleasure to use. This will give you an idea why my sites are so quick and why yours should be too. The entire approach is to make every operation run in parallel on infrastructure that is most suited to each kind of task required to build a web page. Read about how I do it.
Sharing The Load

Sharing The Load

When making any modern website or software application we use a team of people to make sure the job is done properly. When running a modern website or software application we use a team of computers so that their job is done properly as well.
Living On The Edge

Living On The Edge

When I meet a web professional who does not use CloudFlare it's like meeting a time traveler from the past. Cloudflare has servers all over the world that intercept the traffic to your website to make sure if it is safe. Imagine if all those CloudFlare servers could be used for other tasks. Now they can.
4 Big Reasons Why Your Website Needs Cloudflare

4 Big Reasons Why Your Website Needs Cloudflare

Most people only know Cloudflare as DNS management, but it also provides a suite of essential tools for a modern website. An SSL certificate, content delivery network, on-the-fly page optimisation and page rules, and protection from the rest of the internet.