The Alibaba Cloud Security team has detected more and more database hit attacks recently. As Big Data sees more and broader application, it would be foolish to discount the significance of these attacks.

What is a database hit attack? What negative effects does it have? More importantly, how can companies who focus on service development neutralize the threats to information security? In this article, we will address these questions in detail.

I. Laziness may be the primary cause for a "successful" database hit attack.

Database hit attacks are not very complex. For example, you may have an email account with the username abc@xx.com, and the password is x6!00AL5y@ (which is complex and secure). However, for the sake of convenience, you registered for accounts on Facebook, Ctrip, Taobao, WeChat, etc. with the same account. Using the same mailbox account and password poses security risks. This is a common practice because remembering different account/password combinations can be annoying.

As a result, the account is stolen by a hacker, probably because your mailbox leaked personal information or out of carelessness. The hacker can log in to all your accounts with the same information. Then, all information across your accounts will be stolen.

II. Do database hits affect enterprises?

The above consequences are from the perspective of a user. The effects from a database hit are far greater from the perspective of a company. When a database hit occurs, hackers start to maintain a "community worker library". These libraries save a large amount of accurate and paired user name/password information. When the hackers decide to take action on a website, they brute force the log in to the website using each entry in the library. If the information in the library is sufficient, from quantitative to qualitative changes, then the hackers can make off with a huge number of accounts.

Websites suffering a database hit are often hit by accident. Especially for startup enterprises, they don't have enough security preparation to deal with sudden database hit attacks. Consider the following scenarios:

1. A P2P website was victimized by a database hit, and tens of thousands in funds are transferred through the dark web. The company did not want to be held responsible and vanished.
2. A game forum was victimized by a database hit. Many players' game accounts were stolen, and equipment they had bought was lost.
3. Even though a database hit does not directly affect users' interests, hackers can sell the accounts and user information they stole online, such as IDs, mobile phone numbers, and bank card numbers. They can also use the personal information to defraud financial institutions through fake identities. These kinds of damages can severely harm a company's reputation, image, and user experience.

According to statistics collected by our security team, hundreds of attacks are detected every day. Each attack includes hundreds of database hit login requests on average. Even after removing duplicates, there are still hundreds of thousands of username/password combinations in these daily attacks. More seriously, combinations of these accounts and passwords are like "ammunition depots" for hackers. They are kept updated by leeching more and more company databases.

Embarrassingly, the cost and technological threshold for the database hit attacks are low. Hackers only need to download a community worker library from a forum and run a script. Currently, no laws and regulations are provided to punish this behavior.

III. Is there a method that does not require expensive security resources but still enables you to defend against database hits?

Yes, you can use the Alibaba Cloud Security Web Application Firewall (WAF). WAF provides a "10-minute solution" to help users deal with database hits. First, a WAF user takes 5 minutes to complete the online access. The new configuration rules are only valid for 2 minutes. The web application is under the protection of Cloud Security 10 minutes. You can defend against common attacks such as SQL injection, XXS, and Trojans with only a click of a button.

WAF 3.0 has recently developed a new kind of "black technology" called Data Risk Control. It combines cybersecurity protection capability with Alibaba Cloud Security's service security risk control to easily resolve the following issues.

• User information leakage caused by a database hit attack and brute-force cracking

• Scalpers, fake tickets, fake coupons, and fake red packets and other malicious behavior• SMS fees generated from malicious fake SMS verification codes and SMS interfaces• Malicious registrations of spam accounts• Malicious interference by sniping bots

IV. How does WAF deal with database hits and similar attacks?

Hackers are also lazy. They don't submit billions of pieces of database hit information manually. Instead, they use automated tools (like bots) to work for them, and employ a large number of agents called zombie computers. In order to circumvent traditional security devices, some hackers even use rate limiting during their attack to avoid being tagged by security policies.

From the moment when a request accesses your website, WAF fits a complex human-computer recognition model to analyze whether the visitor meets a normal user's behaviors. For example, a normal user does not directly submit a login request when there is no page access or login portal, but the database hit attack will. In addition to analyzing behaviors, WAF combines traffic information and users' browser information with Alibaba Cloud big data information (including zombie computers, malicious IPs, malicious scripts, malicious software, etc.) to ultimately determine whether the request is normal and reliable.

When a normal user accesses the site, they aren't aware of the analysis process. They log in, register, verify, or snipe products just as they normally would. However when a user is suspected of unnatural behavior, WAF performs human-computer recognition and verification at key interfaces (such as registration and login) of Data Risk Control until the user is confirmed to be normal. This means that protection is precise and targeted, avoiding negatively impacting normal users as much as possible.