Classes of Security

There are several classes of security in web hosting environment, each with its own owner of responsibility. Each responsible party will need to secure their own 'perimeter' before total security can be achieved.

Network Security

Basically, the server hosting your account is connected to a network, which in turn connected to a much larger network called the Internet. Successful attack to the network will make servers inside the network unreachable or at least not easy to reach from the Internet. These are some examples of attacks that target the network:

  • Denial of service (DoS) attack. This attack sends a lot of data to a target server or network so that the server or network will not have enough bandwidth in order to serve legitimate requests. The data sent are usually junk random data, but sometimes they are specially crafted packets in order to confuse certain services.

  • Distributed Denial of Service (DDoS). This kind of attack are similar to DoS above, however DDoS attacks are launched from several hosts on the Internet simultaneously, usually from trojaned, zombie or cracked hosts. DDoS are several magnitude more catastrophic than a simple DoS. Even big networks such as Yahoo!, Amazon, CNN, and EBay had been taken down by DDoS attacks.

  • Attack to network router. A network is connected to the Internet through one or several routers. A successful attack to a strategic router can bring down the whole network.

These classes of attacks are the responsibility of's upstream providers.

Server Security

These classes of security involves the server itself. Illegitimate gain to a server usually achieved by exploiting a known vulnerability of a service running on the server. Sometimes it is also possible for an attacker to bring down the server instead of gaining an illegal access.

These classes of security are the responsibility of We try to make sure any software running on the server contain no known vulnerabilities. If a vulnerability on a service were found, we always try to update the software in question as soon as possible. We also implement server firewall in order to make it harder for irresponsible parties to gain illegal access to our server.

Since every user on our system doesn't trust each other, we also try very hard to implement a clear separation between our users while still allowing them to do administration tasks without hassle. A user on our system should not be able to access other user's files or data.

User Account Security

The rest of this chapter will mostly discuss this class of attacks. These attacks involves illegitimate gain to your account, for example:

  • Shell vulnerability. Crackers can exploit these vulnerability to get them shell access to your account.

  • Cross site scripting (XSS). XSS occurs when a web application gathers malicious data from a user, and then present the data to another user verbatim without escaping. This could allow a malicious user to hijack another user's account.

  • SQL injection attacks. In this class of attacks, an attacker inserts a carefully crafted query string to a vulnerable script in order to confuse the script in question into executing any arbitrary SQL commands.

User account security are the responsibility of our user. It is impossible to expect us to be able to audit every code in every user's account line by line and make sure all of them do not contain any vulnerability. So it is important for our clients to update third party software when a vulnerability is found. It is also important to reduce mistakes when developing your web application. This chapter will discuss these topics in greater detail.

Copyright © 2003

. .