Attacks - what does Polaris detect and do?

Attacks - what does Polaris detect and do?

Polaris identifies a vast amount of threats that might occur against your site. While the contents in this article are not exhaustive, it covers the more widespread and common attack types that are likely to occur against your site as well as some of our protection methodologies. These are also listed under Security Events  so you can review what types of attacks are common to your organization and what is being done about them by the WAAP. 

API Validator: Polaris identifies and checks the data being sent through your application's connection points with other platforms, systems, and services. Validation is executed according to the API endpoint specifications listed and configured in the API security tab.

BGP DOS (Border Gateway Protocol Denial of Service): This attack occurs when a malicious device sends an undesirable amount of BGP traffic in an attempt to use up all BGP / CPU resources with the goal of putting the site out of service.

Custom Rules: Polaris has the ability to identify attack types based on custom rules configured by the WAAP user. The custom rules dictate what traffic requests are allowed to pass through the WAAP so any that do not meet the standards as laid out in the rule will be flagged under security events as being blocked or requiring additional investigation. Custom rules are especially handy if an organization or user knows they may be susceptible to specific types of attacks. 

Data Leaks: Polaris identifies compromised user data via leaks such as emails and passwords. This is a specific feature of the Threat Intelligence capabilities, providing organizations with the source of the leakage if it is able to be determined. While the WAAP can not directly do anything about the leakage, the knowledge of the compromise allows the organization to take appropriate measures to ensure continuity of operations and mitigation of damage. 

DoS (Denial of Service): A single computer is used to flood a server with TCP and UDP packets, requests with the aim of overloading the server and putting your site out of service. 

DDoS (Distributed Denial of Service): whereas the DoS uses a single computer to flood a server with traffic requests, a DDoS uses multiple tied together in a botnet to flood servers. 

Java: Similar to PHP, these attacks are based on vulnerabilities that exist in Java code that if exploited, allow an attacker to perform malicious attacks on the site. One of the ways Polaris identifies Java attacks is by deploying signature-based detection - looking for a unique identifier such as a string of code or hash that may be malicious in nature, to deter the attacks.

LFI (Local File Inclusion): This attack involves the attacker tricking the web application into exposing a file that is locally present on the server. Typically, this occurs when the file path is used as input. An LFI attack can lead to information disclosure and is usually due to a lack of validation. Polaris uses multiple parameters to detect an LFI attack.

N-Day: Attacks that are already known and disclosed. The letter 'n' may denote the difference in number of days since the threat was detected or identified and when an organization was attacked by the threat. Polaris identifies and mitigates these attacks based on the N-Day rules within the system settings and configurations.

PHP: Attacks based on vulnerabilities that exist in the PHP code, usually due to a lack of user input sanitization. This allows an attacker to perform malicious attacks directly on the site using the different input fields and boxes such as comments or contact us forms. One of the ways Polaris identifies and deters these attacks is by deploying signature-based detection.

Protocol: Tends to exploit a set of rules establishing a process with the goal of consuming an excessive amount of resources. Some of the popular protocol attacks are SYN floods, ping of death, packet attacks. 

RCE (Remote Code Execution): One of the most critical attack types, when an attacker finds a way to inject malicious code into a server, which the server then unknowingly runs. Once running, the code allows an attacker to bypass access control to completely control a system or retrieve restricted files and data.

RFI (Remote File Inclusion): Similar to a LFI attack but it instead accesses a remote file. It is able to force the web application to run the attacker's own malicious code. Polaris uses multiple parameters to detect an RFI attack. 

Scanners: Otherwise known as site scanning, attackers use scan tools to gather as much information about your site as possible as part of an initial phase of attack. The less information revealed, the better, allowing you to deter an attack. With less information discovered, it would require more time and resources to attack your site. Detecting scanning serves as an early warning sign that your site is being targeted, a service provided by Polaris.

Session Fixation: Allows an attacker to hijack a valid user session by using a valid session ID to gain access to a user's account. This can occur when the web application fails to validate an existing session.

SQLI (SQL Injection): Uses malicious SQL code in website fields and boxes such as contact us forms to manipulate the database in accessing information that is not meant to be displayed. This information can be anything stored in the database, ranging from customer orders, to credit card numbers and personally identifiable information. Polaris can help detect and filter out these codes to prevent such an attack. 

Temporary Ban: Polaris temporarily bans users that it detects are conducting suspicious activities on the site, disallowing access. 

XSS (Cross-Site Scripting): XSS occurs when malicious code is loaded into the visitor's browser and then executed which is something called a client-side attack because the organization is not directly attacked, but the visitor to the organization's site. This usually occurs in the form of a script from the attacker, such as a pop-up box, which the visitor to a trusted website may inadvertently click. As it is a trusted site by the browser, this malicious script will usually be executed by the browser. This script can also access sensitive information such as cookies and session tokens.

    • Related Articles

    • LFI and RFI attacks - how to identify?

      LFI Detection When preventing LFI (Local File Inclusion) attacks, Polaris attempts to detect if a malicious user is trying to retrieve a file that is local to an organization's web server that they should not have access to. RFI Detection When ...
    • Brute Force Attacks - what are they?

      What are brute force attacks? Brute force attacks are trial-and-error attempts to crack an encryption using a large number of combinations. These can be used to guess passwords, encryption keys, API keys or SSH logins. These attacks are often carried ...
    • How does Polaris protect your website?

      What does Polaris do? Polaris provides DNS security and monitors traffic accessing your website for any malicious activities. This protects your websites from various types of attacks, including those on the OWASP Top 10 List as well as DDoS attacks. ...
    • Polaris IP Addresses

      Once configured under Polaris, some webpages may have an error page (Error 504) when attempting access. In order to resolve this issue, the you must add the following IP addresses to your domain Origin Server's whitelists. Note: These are separate ...
    • Getting Started with Polaris - Registration

      Thank you for using Polaris to secure your website. This guide will go through the basics of setting up your website(s) on Polaris and how to navigate the interface. The guide will also help you understand the various settings and what they mean for ...