RUDY Attack and it's prevention

RUDY Attack:

It is the type of slow rate attacks. It also known as slow and low attack. It attempts to open a relatively few connections to the target server or website over a period of time, and leaves the connection as long as possible.

How it works:
It identifies the embedded form in the target site. After identification it sends the HTTP post request with abnormal long ‘content-type’ header field and then starts injecting the form with information, size of one byte packet at one time. This packet is not only sent in junks but at a very slow rate. So , a very long content-length field prevents the server from closing the connection. Ultimately the attacker exhausts the server connection table.

Prevention Mechanisms:
  • Server resource monitoring like memory, CPU usage, connection tables, application threads, long and open application connection or stuck application processes.
  • Behavior analysis compares traffic and user behavior. Or if filling the form takes so much time like hours or minutes instead of seconds.
  • You can also improve the server availability but attackers can also take advantage from the DDOS like botnet.
  • Reverse Proxy is another solution
  • Set the strict time out connection but affects the users which have slow internet connections.
  • Use CDN to prevent the attack from the origin server.

Comments

Post a Comment

Popular posts from this blog

Cyber Threat Intel

Image
What is Cyber Threat Intel? Threat intel is the information about the threats. Cyber threat intel is used to better understand, predict and adopt to the behavior of malicious actors. It plays an important role in preventing the zero-day attacks. " Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes " (NIST). Threat Intel life Cycle: Intelligence lifecycle is the process of developing raw information into finished intelligence for policymaker to use in decision making and action. CTI Life Cycle Planning and Direction Planning and direction helps in setting up the goals for the threat intel program. Priorities and requirements are defined in this phase. Collection: Collection means gathering of data to produce the finished intelligence. Data includes logs(Firewall, IPS/IDS, Endpoints), threat feeds and OSINT(reports, social media, public forums). Collection Types of Collectio...
Read more

Analyzing Spear Phishing Email

Image
Phishing is the technique of fraudulent attempt by the attacker to obtain sensitive and confidential information i.e. Credentials, PII information, credit card, bank details. It can also be targeted attack to focus on the specific organization of individual. The attacker often tailors an email to speak directory to targeted user. There are many types of phishing as follow. I wouldn't explain the types. You can read Here . In this article you'll learn how to analyze the sophisticated phishing email. So, Let's start the case study to explain.  Spearphising :  Spearphising is the technique in which attacker aims at one person and lures him/her into providing confidential data. Attacker compile the email according to the specific user. The email would consist some of the target's email, username, designation.  Case Study: User receive the spearphising email containing the PDF attachment with double extension. Email body contains the unprofessional statement "Kindly m...
Read more

Advance Attacks on Network

  Advance Attacks and Protection: In this section we will discuss some common types of attacks that can be launched against the systems and networks. Spoofing: Spoofing occurs when one person or entity impersonates or masquerades as someone or something else. There are two common types of spoofing attack one is IP spoofing and the other one is MAC spoofing. We can prevent IP spoofing by blocking the packet if it contains the private IP address on public interface. SYN Flood Attack: The SYN Flood attack is a common attack used against servers on the internet. They are very easy for attackers to launch and difficult to stop, and can cause significant problems. It can disrupt the TCP handshake process and can prevent legitimate clients from connecting. In a SYN flood attack, the attacker never completes the handshake by sending the ACK packet. So it consumes the server resources. We can prevent it by setting the threshold for SYN packet. MITM: Man in the Middle attack is a form of act...
Read more