Talking about JavaScript-based DDOS attacks and javascriptddos

Talking about JavaScript-based DDOS attacks and javascriptddos

CloudFlare protects millions of websites and summarizes the oldest and most common non-DDoS attacks. In traditional DDoS attacks, attackers can control a large number of bots and then send a large number of requests to the target server to prevent legal users from accessing the website.

However, in recent years, DDoS attack technologies have been constantly updated: attackers use a new and interesting way to trick users into the attack. Last year, CloudFlare witnessed an NTP ing attack, probably the largest in the history of DDoS attacks (more than 400 Gbps ).

This year's DDoS attack has seen another new attack trend: using malicious JavaScript to fool users into DDoS attacks.

The consequences of NTP or DNS ing attacks are limited by the number of slave servers and the attack traffic is also limited by the slave server capacity. Over time, servers will constantly update patches and the number of servers that can be exploited by attackers will also decrease. JavaScript-based DDOS attacks have an unusual characteristic: Any device with a browser may participate in the attack, and its potential attack scale is almost unlimited.

Principles of JavaScript-based DDOS attacks

Most modern websites use JavaScript for interaction. JavaScript scripts can be directly injected into HTML, or

function imgflood() {   var TARGET = 'victim-website.com'  var URI = '/index.php?'  var pic = new Image()  var rand = Math.floor(Math.random() * 1000)  pic.src = 'http://'+TARGET+URI+rand+'=val'}setInterval(imgflood, 10)

The script generates an image button on the target page that points to the victim-website.com website. As long as the user accesses a Web page containing the script, it will become a member of the "victim-website.com" DDoS attack. Every request sent by the browser is a valid request, so the attack becomes a Layer 7 attack.

FreeBuf Encyclopedia: Application Layer attacks

Attackers send a large number of data packets or exploit server application vulnerabilities to saturation server resources, resulting in DDOS attacks. Such vulnerabilities often do not require a large number of bots. Application-layer DDOS attacks include Slowloris, Apache, Windwos, and OpenBSD vulnerabilities. For example, ModSecurity NULL pointer indirectly references a Remote Denial of Service Vulnerability (CVE-2013-2765) that attackers can exploit to crash Apache Web servers.

If attackers embed malicious JavaScript scripts in a website, every visitor to the website will become a member of DDoS attacks. The higher the website traffic, the more serious the DDoS attacks are.

Intrusion into third-party servers that share JavaScript

Many websites use common JavaScript libraries. To save bandwidth and improve performance, JavaScript scripts are usually shared with third-party servers. That is to say, if the website contains a script tag pointing to a third-party server, it means that all users accessing the website will automatically download and execute the JavaScript script. Unfortunately, if attackers intrude into the third-party server and inject DDoS attack code into the JavaScript script, the result can be imagined that all visitors will become part of the DDoS attack.

JQuery experienced this intrusion in September 2014.

Introduction to sub-resource integrity

By replacing the JavaScript attack on a third-party server, this is actually an old attack method. Currently, HTTP does not have a mechanism to prevent the script from running. However, W3C has proposed a new function called subresource integrity (SRI), which uses the encrypted hash value to verify the script, if the hash value does not match, the browser can prevent it from running.

For example, the following script Tag:

<script src="https://code.jquery.com/jquery-1.10.2.min.js">

The browser automatically downloads the. js file and runs it indiscriminately. Even If attackers inject malicious scripts into the file, the browser will not recognize it. However, if the website finds that the hash value verification script does not match, the Child resource integrity (SRI) will tell the browser not to run the script.

<script src="https://code.jquery.com/jquery-1.10.2.min.js"          integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg="         crossorigin="anonymous">

It is recommended that the website administrator add this label to the server to protect its users from being used.

Currently, only Chrome and Firefox browsers support sub-resource integrity.

Man-in-the-middle attack

The man-in-the-middle located between the browser and the server can modify data, including HTML content or JavaScript scripts. If the man-in-the-middle is biased and some malicious things are done, such as adding and executing malicious JavaScript to the page, the consequences are equally serious (that is, the so-called man-in-the-middle attack ).

Modifying websites during transmission is a unique technology exclusive to ISPs and WiFi providers. However, if attackers gain this permission, they will replace the scripts during transmission with malicious JavaScript scripts. What's more, if the JavaScript script contains the DDoS script, the DDoS attack members will be further expanded.

The situation can be even worse. If the transmission path of JavaScript files passes through the attacker's network, the number of browsers and users involved in DDoS attacks will be astonishing.

Conclusion: Defense

JavaScript-based DDOS attacks are becoming more and more frequent. The only way to defend against this attack is to fully enable HTTPS.