650,000 Chinese smartphones used to launch ad network DDoS attack

Chinese smartphones used to launch ad network DDoS attack

A massive flood of web traffic originating from smartphones in China was used in an attempt to disrupt an unnamed web server, according to security researchers at CloudFlare.

The distributed denial of service (DDoS) attack peaked at over 275,000 HTTP requests per second and resulted in 4.5 billion hits on the targeted website.

The attack has been blamed on malicious advertising networks that compromised up to 650,000 smartphones.

Marek Majkowski, DDoS mitigation expert at CloudFlare, said that the firm’s servers are constantly being targeted by DDoS attacks, from DNS reflection to Level7 HTTP botnet floods, yet this attack caught his attention because of the high levels of traffic involved.

“There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network. It seems probable that users were served advertisements containing the malicious JavaScript,” he explained.

“Attacks like this form a new trend. They present a great danger in the internet. Defending against this type of flood is not easy for small website operators.”

An analysis of the attack logs found that 80 percent of the traffic originated from mobile devices, nearly all of which were from Chinese IP addresses.

Cloudflare DDoS requests

Furthermore, analysis of the logs revealed the names MetaSr, F1Browser, QQBrowser and UCBrowser, all common browser applications in China.

CloudFlare has speculated on the DDoS process. First, a web user opening an application on a smartphone is served an iframe with an advertisement.

This ad, which was requested from an ad network, then forwards a request to a third party which has successfully bid for the space. The user is then forwarded to an attack page containing malicious JavaScript which then launches a flood of XMLHttpRequest hits against CloudFlare servers.

The technique of using web advertising to spread malicious JavaScript has long been discussed.

“It seems the biggest difficulty is not in creating the JavaScript, it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizeable browser-based floods,” said Majkowski.

Nick Sullivan, researcher at CloudFlare, outlined earlier this year how DDoS techniques have diversified in recent years.

“The fundamental concept that fuelled the Web 2.0 boom of the mid-2000s was the ability for sites to load content asynchronously from JavaScript,” he wrote in a blog post.

“Web pages became more interactive once new content could be loaded without having to follow links or load new pages. While the ability to make HTTP(S) requests from JavaScript can be used to make websites more fun to use, it can also be used to turn the browser into a weapon.”

The website affected in the latest attack, which featured a significant amount of web traffic being deployed, has not been named by CloudFlare.


If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

29 September 2015 | 12:45 pm – Source: v3.co.uk


Leave a Reply

Your email address will not be published.