STUDY OF THE EFFECTIVENESS OF SERVER ATTACKS ON RELATIONAL AND NON-RELATIONAL DATABASES. CREATION OF A DEFENSE STRATEGY.
DOI:
https://doi.org/10.28925/2663-4023.2025.28.756Keywords:
database, information security, defense strategy, NoSQL-injections, role-based access control, dictionary attack, combined attack, SQL-injectionsAbstract
The current state of information technology development is characterized by the widespread use of databases in various fields of activity, in particular, in business, medicine, science and public administration. The growth of data volumes and their value leads to an increase in the number of cyberattacks on databases. In this regard, the issue of ensuring database security is becoming particularly relevant. The article considers the effectiveness of server attacks on relational and non-relational databases. A detailed analysis of attack methods, such as SQL/NoSQL injections and dictionary attacks, is carried out, and their consequences for the security of information systems are assessed. The effectiveness of password brute-force cracking is analyzed depending on the parameters of hash functions and the number of hashing rounds of the bcrypt library. It is shown that with an increase in the number of hashing rounds, the computational stability of password selection increases, so each attempt takes more time to process. However, even with a limited dictionary and an effective brute-force method, the attack can be performed in a fairly short period of time if the hashing parameters are chosen incorrectly. Schematic drawings of attacks on the corresponding types of databases are presented. A comprehensive protection strategy is proposed to ensure the confidentiality, integrity and availability of information, which includes pre-processing of user data, hashing of passwords, setting limits on the number of requests, delimiting access and blocking of computerized actions. Methods for countering server attacks are described and implemented, in particular, functional libraries for the secure storage of user passwords are considered. In addition, a comparison of the effectiveness of different types of attacks in the context of existing protection methods is carried out. The results of the study demonstrated that the comprehensive implementation of the basic components of the protection strategy significantly increases the resistance of data to typical server attacks, especially in a scalable environment with a large number of entry points.
Downloads
References
Connolly, T. M., & Begg, K. E. (2013). Database Systems: The New Pearson International Edition: A Practical Approach to Design, Implementation, and Management. Pearson Education, Limited.
Romanyuk, O. V., Denisyuk, A. V., Marushchak, A. V., & Shmalyuk, V. A. (2021). Comparative Analysis of SQL and NoSQL Databases. In 12th International Scientific and Technical Conference “Information and Computer Technologies - 2021 (ICT - 2021)”, Zhytomyr Polytechnic University.
NoSQL for Mere Mortals®. (n.d.). O’Reilly Online Learning. https://www.oreilly.com/library/view/nosql-for-mere/9780134029894/
Subramanian, S., & Saravanan, S. (2024). Current trends in No SQL databases. International Journal of Computer Trends and Technology, 72(9), 126–130. https://doi.org/10.14445/22312803/ijctt-v72i9p119
Mongodb Injection Dataset: A Complete Collection of Mongodb – NoSQL Injection Attempts and Vulnerabilities. (n.d.). Data Brief, 110289. https://doi.org/10.1016/j.dib.2024.110289
Kumar, P. & Singh, R. (2024). Security vulnerabilities in SQL databases: analysis and prevention mechanisms. Next-generation computer systems. Elsevier.
monitorapp_admin. (2024). [2024.05] Web attack trend report. MONITORAPP. https://www.monitorapp.com/may-2024-web-attack-trend-report/
Oselsky, S. V. & Oselsky, S. (2019). Methodology for protecting information confidentiality in mssql and mysql databases from sql attacks [Master’s thesis]. ELARTU – Institutional repository of Ivan Pulyuy TNTU. http://elartu.tntu.edu.ua/handle/lib/30595
O’Driscoll, A., & O’Driscoll, A. (2023). 25+ Password hacking statistics and trends (that may change your password habits). Comparitech. https://www.comparitech.com/blog/information-security/password-statistics/
What is SQL Injection? Tutorial and Examples. Web Security Academy. (n.d.). https://portswigger.net/web-security/sql-injection
npm: mongoose. (n.d.). Npm. https://www.npmjs.com/package/mongoose
NoSQL Injection. (n.d.). Web Security Academy. https://portswigger.net/web-security/nosql-injection
International Standard ISO 27002. (2013). Information Technology. Security Methods. Code of Practice for Information Security Management. Kyiv: State Consumer Standards of Ukraine.
Daniel Missler. (n.d.). SecLists/Passwords/darkweb2017-top10000.txt in master· danielmiessler/ SecLists. GitHub. https://github.com/danielmiessler/SecLists/blob/master/Passwords/darkweb2017-top10000.txt
CCNA Cyber Ops (Version 1.1) – Chapter 8: Protecting the Network. (2019). ITexamAnswers.net. https://itexamanswers.net/ccna-cyber-ops-version-1-1-chapter-8-prot ecting -the-network.html
Information technologies. Protection methods. Information security management systems. Requirements (62498) (DSTU ISO/IEC 27001:2015) (n.d.). https://dnaop.com/html/62498/doc%D0%94%D0%A1%
D0%A2%D0%A3_ISO_IEC_27001_2015
npm: jsonwebtoken. (n.d.). Npm. https://www.npmjs.com/package/jsonwebtoken
Dib, F. (n.d.). regex101: build, test, and debug regex. Regex101. https://regex101.com/
npm: yup. (n.d.). Npm. https://www.npmjs.com/package/yup
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Михайло Маркевич, Олег Горячий
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
