SQL Injection attack acted like a Denial of Service attack

We experienced abnormally high CPU and memory utilization on our Web servers over the weekend, and were wondering why.

Now, we think we know: there’s a new SQL Injection attack making the rounds of the Internet. The problems we experienced were exactly as Greg Hughes describes in his Aug. 12 blog entry, “SQL Injection attacks in the wild.”

In our case, the attack did no damage, beyond sucking up CPU cycles (and utilizing memory). The effect was similar to that of a denial-of-service (DOS) attack.

If your Web apps aren’t protected against SQL Injection attacks, SHAME ON YOU, you naughty person. Your top development priority for this week should be validating all input before passing anything to the database tier.

Z Trek Copyright (c) Alan Zeichick
1 reply
  1. R Reid
    R Reid says:

    You don’t have to be susceptible to SQL injection to fall victim to an SQL Denial of service attack see this article:

    http://blog.strictly-software.com/2008/10/sql-denial-of-service-attacks.html

    Any site that offers a search facility to their users to return results (articles,messages,jobs etc) could fall victim if the SQL is using a pattern match LIKE / SQL CLR Regular Expression, and the input is not being sanitised correctly.

    Running convaluted LIKE statements that search the whole DB and return no records is enough to max your DB servers CPU out and if the user can manage to fire off a number of these requests in a row it could affect your system quite severely.

Comments are closed.