Mobile ad network exploited to launch JavaScript-based DDoS attack

A type of DDoS attack that has until now been mostly theoretical has become reality: CloudFlare engineers have spotted a browser-based Layer 7 flood hitting one of its customers with as many as 275,000 HTTP requests per second.

By analyzing the requests, the anti-DDoS outfit discovered the origin of the requests – a website showing just a couple of dozen blinking banners, no other content.

“The page was written in basic HTML and used a couple of simple JavaScript routines,” CloudFlare engineer Marek Majkowski explained. One of the JavaScript files loaded by the site was found to contain a malicious JavaScript, responsible for sending the repeated requests.

By analyzing the logs, they discovered that the targeted domain was bombarded by requests from 650,000 unique IPs. 99,8 percent of the flood was coming from China, and 80 percent of the requests came from mobile devices – from mobile apps and browsers.

Majkowski and his colleagues believe that the distribution vector is an ad network.

When a user visited a site or used an app, he or she was served an iframe with an ad. The ad content was requested from an ad network, and it forwarded the request to the party that won the ad auction.

“Either the third-party website was the ‘attack page’, or it forwarded the user to an ‘attack page’,” he noted. “The user was served an attack page containing a malicious JavaScript which launched a flood of XHR requests against CloudFlare servers.”

The attack is successful because the attackers have found a way to effectively distribute the malicious JavaScript.

The size of this particular attack is not so big as to endanger most big sites, but small website operators would struggle to cope with it, says Majkowski, adding that attacks like this present a great danger in the internet.

A couple of JavaScript-based DDoS attacks were spotted this year: the April attack against Github and GreatFire , and the more recent one against 4chan and 8chan.