Pierluigi Paganini
April 05, 2014
Recently Cloud-based security service provider Incapsula detected an application layer DDoS attack conducted hijacking a huge volume of traffic to victims website. The website of Incapsula customer was flooded by a DDoS attack, over 20 million GET requests from the browsers of over 22,000 machines targeted the website. The attack was characterized by the exploitation of a persistent XSS vulnerability in one of the world’s largest and most popular high profile video content provider. According to Incapsula, attackers are using an Ajax-script based DDoS tool, that exploits the victim’s browser to run a DDoS request at the rate of one request per second.
“The DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page.” reports the official post by Incapsula.
The scheme of attack is very interesting, The attacker injected an ‘onload‘ call in the <img> tag, once a legitimate user visits any webpage on the vulnerable website (e.g., in the comment section) the JavaScript code injected in the attacker’s image is executed by the victim’s browser which in turn injected a hidden iframe with the address of the DDoSers C&C domain. To run the attack the hackers just need to post comments on the popular video pages, the DDoS attack could be improved if the publishing of comment is executed automatically by a large botnet which orders thousands of hijacked browsers.
“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”
The duration of the involvement of victims in the DDoS attack is directly linked to the duration of the requested video as explained in the official blog post, The Javascript is “session long” but these can be 20 or even 30 min videos so the sessions are much longer than usual.
“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length and with thousands of views every minute, the attack can quickly become very large and extremely dangerous.” researchers explained.
In time I’m writing Incapsula hasn’t revealed the name of vulnerable, it is only known that it allows its users to sign-up and sign-in with their own profiles.
Resuming, to launch a large scale DDoS attack, attackers strategically post comments on the popular video pages, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch their favorite videos. The detection of the attack was possible due the behaviour-based security algorithms:
Last consideration on the attack is that experts believe that attackers are renting their DDoS attack as service due the following observation:
(Security Affairs – DDoS attack, Persistent XSS vulnerability)
APT / November 18, 2024
