On the principle of DDoS attack using JavaScript and defensive _javascript techniques

Distributed Denial-of-service Attack (DDoS) attacks are one of the oldest and most common attacks against web sites. Nick Sullivan is a system engineer at CloudFlare, a website accelerator and security Service provider. In recent days, he wrote about how attackers use malicious Web sites, server hijacking, and intermediary attacks to launch DDoS attacks, and how to use HTTPS and the upcoming "Child Resource Consistency (Subresource Integrity, referred to Sri)" Web new technology to protect your Web site from attack.

Most of the interaction of modern web sites comes from JavaScript. Web sites enable interactivity by adding JavaScript code directly to HTML or by loading JavaScript from a remote location via HTML element <script src= "" >. JavaScript can emit HTTP (S) requests, and the Web content is loaded asynchronously, but it can also turn the browser into an attacker's weapon. For example, the following code can send a flood of requests to an attack Web site:

  function Imgflood () { 
   var TARGET = ' victim-website.com '
   var URI = '/index.php? '
   var pic = new Image ()
   var rand = Math.floor (Math.random () * 1000)
   pic.src = ' http://
  ' +target+uri+rand+ ' =val ' }
  setinterval (Imgflood, 10)

The above script creates 10 image labels on the page every second. The label points to "victim-website.com" and comes with a random query parameter. If a user accesses a malicious Web site that contains this code, he or she is unknowingly involved in a DDoS attack on "victim-website.com," as shown in the following illustration:

Many web sites use a common set of JavaScript libraries. To conserve bandwidth and improve performance, they use JavaScript libraries hosted by third parties. jquery is the most popular JavaScript library on the web, and it was used by about 30% of sites as of 2014. Other popular libraries include the Facebook SDK, Google Analytics. If a Web site contains a script tag that points to a Third-party managed JavaScript file, all visitors to that site will download the file and execute it. If an attacker seizes such a server hosting a JavaScript file and adds a DDoS code to the file, then all visitors will be part of a DDoS attack, which is server hijacking, as shown in the following illustration:

This attack works because there is a lack of a mechanism in HTTP that allows a Web site to prevent tampered scripts from running. To address this problem, the consortium has proposed adding a new attribute child resource consistency. This feature allows the Web site to tell the browser that the script will run only if the script it downloads is consistent with the script that the site wants to run. This is done by a cryptographic hash, as follows:

  <script src= "Https://code.jquery.com/jquery-1.10.2.min.js" 
  integrity= "sha256-c6cb9uyis9ujeqinphwthvqh/ e1uhg5twh+y5qfqmyg= " 
  crossorigin=" Anonymous ">

A password hash can uniquely identify a block of data, and the password hashes for any two files are different. Property Integrity provides a password hash of the script file that the Web site wants to run. The browser calculates its hash after downloading the script, and then compares the resulting value to the value provided by integrity. If it does not match, the target script is tampered with and the browser will not use it. However, many browsers do not currently support this feature, and Chrome and Firefox are adding support for this feature.

A man-in-the-middle attack is the latest way for an attacker to insert malicious JavaScript code into a Web site. When you access a Web site through a browser, there are many nodes in the middle. If any intermediate node adds malicious code to the Web page, a man-in-the-middle attack is formed, as shown in the following illustration:

Encryption technology can completely block this code injection. With HTTPS, all communication between the browser and the Web server is encrypted and validated to prevent the third party from modifying the Web page during the transfer process. Therefore, it is possible to prevent man-in-the-middle attacks by setting up a Web site as a https-only and keeping a certificate and verifying it properly.

When replying to a netizen's comment, Nick points out that Sri and HTTPS are complementary, both of which can provide better protection for the site. In addition to the above methods, the use of some DDoS security products to enhance protection is also a choice.