2008 was year of the SQL injection attack: IBM

2008 was the year of the SQL injection attack, IBM's ISS "X-Force 2008 Trend statistics" report makes note.

The year 2008 can be viewed as the year of the SQL injection attack, according to IBM's Internet Security Systems "X-Force 2008 Trend Statistics" report issued Monday.

"SQL injection, in particular, took off in 2008," says X-Force researcher Tom Cross, noting that the annual trend report concludes that 55% of all vulnerability disclosures made by vendors affected Web applications, a number that does not include custom-developed Web applications. Of those vulnerability disclosures, SQL injection-related vulnerabilities jumped 134% to replace cross-site scripting as the predominant type of Web application vulnerability last year.

So it comes as no surprise that attacks against Web sites vulnerable to SQL injection rose from an average of a few thousand per day at the beginning of 2008 to several hundred thousands per day by year end, the IBM report notes.

In fact, news reports of 2008 did chronicle the occurrences of massive SQL-injection attacks that spanned the globe, sometimes causing huge disruption to organizations that had not patched applications or deployed defensive measures such as Web-application firewalls.

The IBM security-trends report also identifies other notable events in 2008, including the shutdown on Nov. 11th of the California-based Web hoster McColo by two upstream ISPs, Hurricane Electric and Global Crossing.

McColo had been a major source of spam production in the United States, and its "takedown," as IBM refers to it, was an event that had an impact in terms of spam volumes originating in the United States.

Just days before the McColo takedown, the United States had been ranked the No. 1 spot worldwide at 14.2% of spam production, followed by Russia, Turkey, Spain and Brazil. But after the McColo takedown, the United States immediately dropped to third place at 8%, with China suddenly surging to top place at 12.7%, the IBM report says.

But in the mercurial world of spam production, things can change quickly and Brazil ended up as the top spam generation spot by year-end with 11.7% of global production. The United States stood at 8.1%, followed by China at 6.6%, Turkey at 5.7% and Russia at 5.7%. "Looks like Brazil is now taking the lead as a source of spam," Cross said.

Learn more about this topic

How one site dealt with a SQL injection attack

Top 25 software screw-ups

iFrame attacks surge, security firm says

Mass SQL injection targets Chinese Web sites

The spam problem was mostly solved last Tuesday
Must read: 11 hidden tips and tweaks for Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies