New DDOS attacks: from smart phone browsers

New DDOS attacks: from smart phone browsers

 

Security experts recently discovered that smartphone browsers can also generate flood attacks with massive traffic.

Detected DDOS attacks from mobile browsers

According to a security expert analysis, a mobile advertising network can direct thousands of mobile browsers to a website at the same time, causing the website server to crash, thus achieving the purpose of distributed denial-of-service attacks.

According to CloudFlare, a ddos Protection Service Provider found that a customer's website received 4.5 billion page requests within several hours, the source IP address and object of the page request are parsed and found to be from a mobile browser with a Chinese IP address.

According to Marek majkoski of CloudFlare,

Browser flood attacks are Layer 7 Based on the tcp osi Layer 7 protocol. This attack method was proposed as a theory several years ago, but it is difficult to use distributed methods efficiently, so that a large number of browsers send requests to the target URL at the same time, resulting in DDOS effect, so it has never appeared in the actual environment.

This time, by analyzing the monitoring log majkoski, we found that the attack type reached 0.27 million requests per second during the peak period, and 80% of the devices initiated were from mobile phones. From the log, we also found that the mobile browser versions that initiate the request include Safari, Chrome, Xiaomi browser, and QQ browser.

How are these attacks formed?

First, the organizer of the attack intercepts the content of the searched or hosted webpage and injects malicious JavaScript code. For example, the organizer analyzes JavaScript code and HTML resources by hosting the webpage on baidu.com, replace it with the JavaScript code that contains attack fragments (initiate a request to the target website). Then, when the user opens a browser app or browses the webpage to access these pages, requests will be sent continuously to the attacked domain name.

The following is the injection Code initiated by a request. After modification, You can initiate a request to the target website,

function imgflood() {var TARGET = 'victim-website.com'var URI = '/index.php?'var pic = new Image()var rand = Math.floor(Math.random() * 1000)pic.src = 'http://'+TARGET+URI+rand+'=val'}setInterval(imgflood, 10)

The script generates an image button on the target page that points to the victim-website.com website. As long as the user accesses a Web page containing the script, it will become a member of the "victim-website.com" DDoS attack. Every request sent by the browser is a valid request, so the attack becomes a Layer 7 attack.