Out-of-band resource load in Google allows attacker to launch a DDoS attack from its servers

A security researcher discovered an Out-of-band resource load flaw in Google’s servers that allowed him to perform a DDoS attack on remote hosts.

Young security researcher, Luka Sikic from Croatia found a serious vulnerability in Google. He was able to servers of the IT giant to perform a DDoS attack on remote hosts.

Out-of-band resource load (classified by PortSwigger) is original name for this type of vulnerability which allows attackers to use vulnerable servers (in this case Google’s) to perform DoS / DDoS attack on a remote host. Basically, the attacker would send a big number of requests to vulnerable web application containing target host as payload, then the vulnerable web application will reflect every request to target address, defined by the attacker. PortSwigger rated this issue severity as high level.

During exploitation test, Sikic was able to gain over 700 Mbps traffic after 10,000 requests.

However, Google has a caching system which is there to prevent this type of issue. Sikic was able to bypass that security measure and let server think that every request is unique.

In his demonstration video, we can see that traffic goes around 300 Mbps, depending on the number of requests per second.

As a mitigation measure for this issue, there should be a better caching mechanism and a detecting system which would not allow an unlimited number of requests to a remote host.

We found that this is not the first time Sikic found a vulnerability in Google’s products. Few months before, he found and reported Cross-site Scripting in YouTube, and Big G received reports about these this issue, and Sikic is already listed in Google’s “Hall of fame” list.

This 17 years old researcher is already certified by Offensive Security and obtained his OSCP certification.

Timeline for the Out-of-band resource load is:

February 18 – Bug Reported
February 19 – More information sent
February 20 – Report Triaged
February 22 – Security Issue Confirmed
February 22 – Google update: Issue is already known to Google

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Out-of-band resource load,  DDoS)