Selfdefending Databases presented at Hashdays 2012

by Alexander Kornbrust,

Tags: Monitoring Databases Honeypot

Summary : Many attackers on the internet are using automated SQL injection tools like Havij or Pangolin to extract data from databases. After finding the initial SQL Injection vulnerability it often takes only a few minutes before the attacker downloads data from the database. Most organizations are unable to react in a timely manner (less than 10 minutes). Administrators or managers on duty do not have the knowledge or permission to decide if a database should be shut down or not. If they get the permission from the management the data is already gone and abused or probably published on the web. The following talk describes how to implement a selfdefending database which automatically protects against these kind of automated SQL Injection attacks. By using built-in functionality of Oracle and MSSQL the database itself can detect SQl Injection attacks and react by killing sessions or stopping the entire database. Additionally we will show how to identify the usage of SQL Injection tools against application server inside the database by monitoring SQL statements which are currently executed. This allows you to find out if bad guys are checking your application with these kind of tools (even if not successful).