Shulou(Shulou.com)05/31 Report--

What this article shares to you is about how to analyze the behavior blocking or Session blocking in the database firewall blocking mode. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

01. Behavior blocking

Behavior blocking is the natural way of database firewall. When an intrusion is detected, the operation of the behavior is blocked. Behavior blocking can work in different modes according to different response preferences.

Mode 1: error response mode

After blocking the operation, a predefined error message is returned so that the application can construct a reasonable error response. The advantage of error response mode is that it allows the application to detect the intrusion and respond to reasonable error forms to users and intruders. The downside is that the intruder may also be aware of the security business logic at work, especially if the application lacks error handling, it may return the error response directly to the intruder.

Mode 2: silent response mode

After blocking the operation, the normal zero response information is returned, including 0 rows of data, 0 rows of data affected or response information of successful operations. The advantage of silent response mode is that the completely normal business logic response can make it difficult for intruders to obtain relevant information, and the disadvantage is that the application can not perceive the intrusion and can only rely on the operation of security devices.

Mode 3: continuous blocking mode

When a risky operation that should be blocked is detected, the Session is defined as a high-risk Session, and all subsequent operations are marked as high-risk operations, regardless of their content. The advantage of the continuous blocking mode is that it increases the attempt cost and frustration of the intruder, and the disadvantage is that the business may continue to fail due to the misjudgment of the risk detection engine.

02.Session blocking

Session blocking is a simple operation relative to behavioral blocking, interrupting network connections and preventing further operations. The advantage of Session blocking is that it is very simple to implement technically, while the disadvantages will bring many unpredictable effects. Moreover, it cannot be used in the database firewall.

Why can't Session blocking be performed in the database firewall?

Most enterprise applications are based on database connection pooling technology. The basic path is: the business application initiates a database operation request, obtains a database connection from the database connection pool, and the application performs the business operation on this given database connection. After the business operation is completed, release the database connection to the database connection pool.

Let's analyze the operation and impact of Session blocking. In general, most Session blocking is achieved by sending Reset packets to the client and server respectively. We do not explore the effectiveness of reset signal blocking here, assuming that it can always be blocked quickly. Under this premise, we explore the possible impact from two aspects:

01. Impact of database connection pooling

Blocking the Session results in a reduction in the number of available database connection pools. Especially in most cases, the database connection pool will not detect the Reset signal, that is, although the network connection has been interrupted, the database connection pool does not realize that the connection is no longer available and will still assign business to the interrupted database connection, resulting in large-scale business errors.

Simply speaking, the intruder can realize the cc attack through a simple invalid attack that can be identified by the database firewall, resulting in the unavailability of the business system. In order to avoid this situation, it is necessary to add a specific error detection function to the database connection pool, close the specific invalid link when a specific error is detected, and initiate a reconnection proactively to keep the business program running.

02. The influence of database side

In most cases, the database can not handle the reset signal well, but needs to rely on the dead process detection program to process. Because the processing can not be guaranteed to be effective, that is to say, in quite a number of scenarios, there may be a large number of dead processes, consuming a lot of database session resources, or even the shared resources are not released, resulting in the database hanging.

Theoretically speaking, the database firewall equipment must adopt the behavior blocking mode, and the specific form of behavior blocking can achieve the corresponding goals. Session blocking mode has many unpredictable effects and should not be adopted by database firewalls.

The above is how to analyze the behavior blocking or Session blocking in the database firewall blocking mode. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.