One of the most malicious attacks that can ever be launched on a website is being flooded with multiple requests that it cannot handle, otherwise known as DDoS’es. According to internet security researchers, this nightmare may have recently become a reality after one site was targeted in such a manner with an aim of overwhelming with the numerous HTTP requests and making it go offline. It is suspected that the attacks were channeled through a mobile advertising network.
This revelation came to light after CloudFare, a distributed denial-of-service protection company intimated that one of their customer’s sites was the victim of this aggression. The company revealed that the sight was bombarded with more than 4 billion page requests within a span of a few hours. On further analysis, it was discovered that majority of these requests were made using smartphone browsers. Upon even digging further, it was noted that an astounding number of these requests came from Chinese IP addresses.
Recent distributed denial-of-service attack uses mobile browsers such as Chrome. Image: iStock ( ZDNET )
Marek Majkowski, speaking on behalf of CloudFare, indicated that for several years now the threat of such attacks have been known, at least theoretically. Known as ‘Layer 7’ flood attacks, they have never occurred before mainly because of a great challenge in forcing numerous requests on one site from multiple browsers. This is due to the fact it is incredibly hard to effectively supply the malicious JavaScript that would compel the browsers to make such requests. What made these requests even more dangerous is that they have headers which look genuine and are issued by real browsers. This makes them look less malicious than the Ruby and Python scripts which usually have incorrect headers and scripts. It is therefore harder to detect and eliminate them.
Internet security experts have looked into a number of ways hackers can overcome this stumbling blocks and launch their attacks. One of the ways that has been viewed as a potential ‘flood gate’ is through the use of suggested web ads. It seems that the hackers have also been doing their homework and this is the path that was used.
After the attack was noted, the next step was analyzing the log files to identify exactly what went wrong and how it was done. Majkowski revealed that upon doing these analyses, it was discovered that the attacks climaxed at beyond 275,000 HTTTP requests each and every second. As previously mentioned, most of those requests (80%) were made from smartphones. What is even more astounding is that they seemed to stem from one location. A whopping 98% of the requests came from Chinese IP addresses. The log files also had a lot to say about the kind of mobile browsers that were used. They included Safari, Chrome, Xiaomi’s MIUI browser, and Ten cent’s QQBrowser.
The CloudFare expert further revealed how that data on the location from which the attacks were launched and how they were done were similar and consistent in nature. He stated that there are strings such as ‘iThunder’ which imply that the request was made from a mobile-based app. Furthermore, there were numerous other strings such as ‘MetaSr’, ‘F1Browser’, and ‘QQBrowser’ which indicate that they were implemented from not only browsers but also apps that are popular among smartphone users in China.
Majkowski is of the opinion that visiting the ads placed on iframes is what led manty browsers to visit the attack page which hosted the malicious JavaScript. In doing this, he believes that the attackers were able to effectively launch their attacks over the ad network not only through browsers but also apps.
The attack is achieved by serving a user with an iframe add requested by the add network when they are using an app or browser. The ad network redirects the request to a successful third party bidder for the inventory; which in turn leads the user to the attack page thereby launchi8ng the flood of looping XHR requests.
