DDoS attack that exploited ad-network discovered

Ray Walsh

Ray Walsh

September 29, 2015

A kind of exploit that was first discussed at the 2013 Black Hat cybersecurity conference in Las Vegas has now become a reality. The exploit of services like mobile ad networks to launch attacks was first conceptualised by Jeremiah Grossman and Matt Johansen of WhiteHat Security. They discovered that a simple bit of Javascript, or even a slightly altered HTML request could be used to ‘force your browser to hack another website, download illegal files from torrents, make embarrassing searches, post offensive messages, even vote for Ed Snowden as Time’s person of the year.’

What’s more, the two digital security experts also admitted at the conference that,

‘The Web has near complete control of your browser as long as you’re connected. Everything we do in our demo, we’re not hacking anything. We’re using the web the way it was meant to be used. My apologies, we don’t have a solution.’

Two years on, and a number of DDoS attacks based on the concept have been coming to light.

Back in April researchers at the University of Toronto and Berkeley in California uncovered a DDoS attack (nicknamed the Great Cannon) that it is believed was carried out by the Chinese government. The attack focussed on two websites whose services allow Chinese citizens to circumvent the Great Firewall of China. On that occasion malicious Javascript – injected into unencrypted traffic and believed to have originated from Baidu servers – was found to be the culprit,

‘The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users.’

Last week the photo sharing website Imgur was similarly exploited, this time by hiding malicious Javascript within images that ran on opening.  The attack was specifically targeted at users of the 8chan message board, but it is recognised that the exploit could have been used to hack a much larger proportion of Imgur’s user base. At the moment, it is not clear what the originator of the attack was trying to achieve. Though it is recognised that the Javascript could have been used to gain ‘full control over anything done or seen on 8chan by infected users’, including for example to steal 8chan user login details.

The latest threat was uncovered by experts at security firm CloudFlare, who noticed that one of its customers was getting an unusually high amount of HTTP requests. The company believes that the DDoS attack, which peaked at about a billion requests in an hour, leveraged a mobile ad network to carry it out. In total around 650 000 individual IP addresses were used to launch the attack, of which the vast majority (99.8%) originated in China. CloudFlare experts also discovered that around 80% of those requests originated from Chinese mobile apps and browsers.

In CloudFlare’s blog post on the attack, researcher Marek Majkowski explains that this relatively new trend in flooding attacks is particularly dangerous for smaller website operators. Explaining also why the firm suspects that an ad network was used to leverage the attack,

‘There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network. It seems probable that users were served advertisements containing the malicious JavaScript. Ads were likely showed in iframes in mobile apps or mobile browsers to people casually browsing the internet,

Cloudflare also concurs with WhiteHat Security’s original conclusion from two years ago. Agreeing that this kind of attack relies on simple Javascript and that it is the distribution (on this occasion relying on an ad network as WhiteHat suggested it would) that is the toughest part of the attack,

‘It seems the biggest difficulty is not in creating the JavaScript — it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser-based floods.’

In the blog post, Cloudflare also laid out a likely description of the attack scenario,

  • A user was casually browsing the Internet or opened an app on the smartphone.
  • The user was served an iframe with an advertisement.
  • The advertisement content was requested from an ad network.
  • The ad network forwarded the request to the third-party that won the ad auction.
  • Either the third-party website was the “attack page”, or it forwarded the user to an “attack page”.
  • The user was served an attack page containing a malicious JavaScript, which launched a flood of XHR requests against CloudFlare servers.

Many ad networks have auctions for adverts, which they offer to the highest bidder. It is believed that the cybercriminal may have won one of those bids in order to get the javascript into the hands of as many people as possible. Amazingly, the BBC has pointed out that the target of the attack received more traffic in a day than the BBC’s news website does in a month. Cloudflare has made the decision not to disclose who, in particular, ran the servers that were affected by the attack.



Exclusive Offer
Get NordVPN for only
Get NordVPN for only