Mobile Ad Network exploited to run a major DDoS Attack

Security experts at CloudFlare observed a major DDoS attack against one of their customers that appeared to leverage a mobile ad network.

CloudFlare firms revealed that one of its customers was recently hit by a distributed denial-of-service (DDoS) attack that appeared to leverage a mobile ad network and malicious JavaScript.

The experts explained that the DDoS attack relied on a JavaScrip that generates legitimate HTTP requests.

The possible exploitation of ad network was discussed two years ago at the Black Hat conference by the experts Jeremiah Grossman and Matt Johansen.

Unfortunately, this kind of DDoS attack is being popular in the hacking community, in April security researchers from the University of California at Berkeley and the University of Toronto have uncovered a powerful weapon of the Chinese Government cyber arsenal, dubbed the Great Cannon, used to hit websites with powerful DDoS attacks. The Great Cannon has been used by Chinese authorities to knock-out two anti-censorship GitHub pages and it can be also used as a hacking tool to silently install malware on the targeted machine.

The experts explained that the Great Cannon relies on malicious JavaScript injected into unencrypted traffic in order to carry on DDoS attacks.

Another similar DDoS attack was uncovered last week, experts at Imgur discovered that a vulnerability in the platform was exploited by attackers to target the imageboards 4chan and 8chan.

Now, CloudFlare noticed a large number of HTTP requests addressing one of its customer’s website, the DDoS attack peaked at over 1 billion requests per hour. The experts observed a total of 4.5 billion requests reaching the content delivery network’s servers on the day of the attack.

The overall number of unique IP addresses originating the requests is 650,000, 99.8 percent these addresses belong to China.

Experts at CloudFlare discovered that nearly 80 percent of the requests were originated from mobile devices (mobile apps and browsers commonly used by Chinese users).

“Attacks like this form a new trend,” states a blog post published by CloudFlare. “They present a great danger in the internet — defending against this type of flood is not easy for small website operators.”

“There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network,” Majkowski wrote. “It seems probable that users were served advertisements containing the malicious JavaScript. [These] ads were likely showed in iframes in mobile apps, or mobile browsers to people casually browsing the internet.” explained the researcher Marek Majkowski.

The experts discovered that the websites from the “Referer” header pointed to an ad aggregator or a link farm. The DDoS attack relies on a JavaScript hosted on these pages and that was able to generate a large number of XMLHttpRequest (XHR) requests.

CloudFlare researchers excluded that the DDoS attack was conducted by injecting TCP packets like observing in the DDoS attack conducted by the Great Cannon.

CloudFlare provided the following description for the attack scenario:

  • A user was casually browsing the Internet or opened an app on the smartphone.
  • The user was served an iframe with an advertisement.
  • The advertisement content was requested from an ad network.
  • The ad network forwarded the request to the third-party that won the ad auction.
  • Either the third-party website was the “attack page”, or it forwarded the user to an “attack page”.
  • The user was served an attack page containing a malicious JavaScript which launched a flood of XHR requests against CloudFlare servers.

“It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods,” Majkowski added.

Pierluigi Paganini

(Security Affairs – DDoS,  Java Script)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.