Cybersecurity for SAP Managers: DoS Attacks

Feb 21, '17 by Joerg Schneider-Simon

In years past, corporate IT departments exerted complete control over who used their SAP applications. Any endpoint that accessed SAP was known and secured. As a result, managers tasked with SAP security were concerned about internal business- and process-based security threats, focusing primarily on roles, permissions and segregation of duties.

These days, however, SAP systems are frequently integrated into business processes involving external entities – for example, suppliers, resellers, job applicants and even unknown customers. This can be very good for business, bringing new levels of efficiency to operations and visibility to information.

Unfortunately, this can be very bad for security.

 With this new reality, there is no easy way for an SAP manager to verify that only secure endpoints can access an application. These unsecured endpoints potentially expose your entire SAP system to very real, very dangerous cybersecurity threats.

It’s no longer enough for SAP managers to focus only on internal security threats. External cybersecurity threats must now be an equal priority.

Over the next few weeks, we’ll be publishing a series of posts to help illuminate the nature of these external cybersecurity threats and identify best practices to protect your SAP system and enterprise in general. In this first post, we discuss one of the most common potential dangers: Denial of Service attacks.

Denial of Service (DoS): What You Need to Know

A denial of service (DoS) attack occurs when an attacker finds a way to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services. Typically, this involves either overloading the infrastructure or application with requests until it no longer functions or exploiting system vulnerabilities to disable a required component, making the application unusable.

You don’t need deep technical knowledge to overload a system, and it’s relatively easy for someone to download a malicious script off the internet. This means just about anyone could attack your SAP system – whether it’s a competitor, disgruntled employee or someone doing it just for “fun.”

DoS attacks can occur at various layers of your SAP system, including the network, application and content layers, as well as at the user level. Here’s what you need to know about cyberattacks on these various layers:

Network Layer DoS Threats

At the network layer, an outside attacker can flood your system with an overwhelming number of concurrent or half-opening connection requests. This either causes your server to crash or ties up your resources and slows down response times to the point where your system can’t function.

The attack may be a “simple” DoS attack coming from a single computer, or it may be a distributed denial of service (DDoS) attack using multiple computers and Internet connections to flood your system. In both scenarios, the impact is massive and immediate.

While there’s no easy way to prevent an attack at the network layer from happening, there are steps you can take to mitigate the potential impact. One easy approach is to reduce connection request time-outs (“SYN-Received Timer”) at the operating system’s network configuration level. This gives an attacker far less time to saturate/overload your system, which makes it significantly more difficult to successfully execute an attack.

More complex DDoS attacks require far more complex mitigation strategies, such as dynamic redirection of attack traffic into so-called “network sinkholes”. This kind of mitigation requires close interaction between the victim and the Internet Service Provider.

Application Layer DoS Threats

At the application layer, a hacker can launch an attack by opening a large number of concurrent sessions until the maximum number allowed is reached. Like a network-layer DDoS attack, this overloads your system until it slows down or stops working.

A simple solution is to require two-step user authentication or the use of captchas before an application can be accessed. While this isn’t foolproof, it can slow down an attacker and make accessing your application difficult enough that the attacker cannot automate the creation of sessions at a large scale.

Content Layer DoS Threats

One example of content-layer DoS threats are zip bombs. A zip bomb is a zip file nested within a zip file nested within a zip file, and so on, ad infinitum.

When an external user uploads a zip bomb to your SAP system, the scanning system unpacks each of the nested files, which quickly consumes a lot of resources. Ultimately, processing so many requests shuts down your system.

A good defense strategy is to install SAP security software specifically designed to scan external content uploads, which can help prevent these attacks from occurring. 

User Level DoS Threats

User-level attacks can manifest in several ways. One possibility is a hacker who purposely locks user accounts by submitting fake passwords. If your organization's user names are easily predictable – or already known by the attacker – a simple script can run bogus login attempts at scale across your organization. Since many secure applications lock the user out after a certain number of failed login attempts, this attack will lock out the actual users and potentially disrupt your operations. Resolving this type of attack can be done, but will tie up resources and create headaches for everyone in your company.

In another scenario, hackers create scripts to flood your application with content. The content may be bogus or it may be real, but again, the impact is to tie up your resources.

For example, let's say a hacker uses an automated script ot submit 2,000 fake (but legitimate-looking) resumes via your SAP e-recruiting application. Someone within your HR department will need to sift through all those documents to confirm which ones are in fact fake. This might not be as devastating a blow as a network-level DDoS attack, but as with the other hacks, could seriously disrupt your normal business operations.

A simple way to reduce the likelihood of this type of attack is to require a two-step account confirmation process before users can submit content through your application.

Although there’s no silver bullet to protect yourself from all cybersecurity threats, the good news is there are steps you can take to mitigate the impact of an attack. And in the best-case scenario, having the right SAP cybersecurity solution in place can help prevent a cyberattack from even occurring.

To learn more about how bowbridge can help protect your SAP applications from cyberattacks, contact us today.


Download our Solution Brief: Protecting SAP E-Recruiting from Hackers and Malware Uploads