About the principle and defense of JS DDoS attacks
Distributed Denial of Service (DDoS) attacks are the oldest and most common attacks against websites. Nick Sullivan is a system engineer at CloudFlare, a website acceleration and security service provider. Recently, he wrote an article about how attackers can use malicious websites, server hijacking, and man-in-the-middle attacks to initiate DDoS attacks, and explained how to Use HTTPS and the coming Subresource Integrity, this new Web technology protects websites from attacks.
Most of the interactions between modern websites come from JavaScript. The website directly adds JavaScript code to HTML or uses HTML elements<script src="">
Load JavaScript from a remote location for interaction. JavaScript can send HTTP (S) requests to asynchronously load webpage content, but it can also turn the browser into an attacker's weapon. For example, the following code can send flood requests to attacked websites:
function imgflood(){
var TARGET ='victim-website.com'
var URI ='/index.php?'
var pic =newImage()
var rand =Math.floor(Math.random()*1000)
pic.src ='http://'+TARGET+URI+rand+'=val'
}
setInterval(imgflood,10)
The above script creates 10 image tags on the page every second. The tag points to a victim-website.com with a random query parameter. If a user accesses a malicious website containing this code, he will participate in a DDoS attack on the victim-website.com without knowing it, as shown in:
Many websites use a set of common JavaScript libraries. To save bandwidth and improve performance, they use a third-party JavaScript library. JQuery is the most popular JavaScript library on the Web. It was used by about 2014 of websites as of 30%. Other popular libraries include the Facebook SDK and Google Analytics. If a website contains a script tag pointing to a third-party hosted JavaScript file, all visitors to the website will download the file and execute it. If attackers break down a server hosting a JavaScript file and add DDoS code to the file, all visitors will become part of the DDoS attack. This is server hijacking, as shown in:
This attack is effective because there is a lack of a mechanism in HTTP to prevent the website from being tampered. To solve this problem, W3C has proposed adding a new sub-resource consistency feature. This feature allows the website to tell the browser that the script can be run only when the script downloaded is the same as the script that the website wants to run. The Code is as follows:
<scriptsrc="https://code.jquery.com/jquery-1.10.2.min.js"
integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg="
crossorigin="anonymous">
The password hash can uniquely identify a data block. The passwords of any two files are different. Property integrity provides a password hash for the script file that the website wants to run. After downloading the script, the browser calculates its hash and compares the obtained value with the value provided by integrity. If they do not match, the target script is tampered with and the browser will not use it. However, many Browsers Do not currently support this feature, and Chrome and Firefox are adding support for this feature.
Man-in-the-middle attacks are the latest way for attackers to insert malicious JavaScript code into websites. When you access a website through a browser, there are many nodes in the middle. If any intermediate node adds malicious code to the webpage, a man-in-the-middle attack is formed, as shown in:
Encryption technology can completely block such code injection. With HTTPS, all the communications between the browser and the Web server must be encrypted and verified to prevent third parties from modifying webpages during transmission. Therefore, setting the website as HTTPS-only, keeping the certificate and verifying the certificate can effectively prevent man-in-the-middle attacks.
In response to comments from netizens, Nick pointed out that SRI and HTTPS complement each other, and both can provide better protection for the website. In addition to the above methods, it is also an option to use anti-DDoS security products to enhance protection.
This article permanently updates the link address: