Vulnerability in World's Largest Site Turned Million of Visitors into DDoS Zombies

An application layer or 'layer 7' distributed denial of service (DDoS) attacks is one of the most complicated web attack that disguised to look like legitimate traffic but targets specific areas of a website, making it even more difficult to detect and mitigate.

Just Yesterday Cloud-based security service provider 'Incapsula' detected a unique application layer DDoS attack, carried out using traffic hijacking techniques. DDoS attack flooded one of their client with over 20 million GET requests, originating from browsers of over 22,000 Internet users.

What makes this case especially interesting is the fact that the attack was enabled by persistent XSS vulnerability in one of the world’s largest and most popular site - one of the domains on Alexa’s “Top 50” list.

XSS vulnerability to Large-Scale DDoS Attack

Incapsula has not disclosed the name of vulnerable website for security reasons, but mentioned it as a high profile video content provider website, allows its users to sign-up and sign-in with their own profiles.

The DDoS attack was enabled by a Persistent XSS (Cross site scripting) vulnerability that allowed the attacker to inject a malicious JavaScript code into the tag associated with the profile image.

So, as each time a legitimate visitor arrived to any webpage on the vulnerable domain (e.g. pages where attacker has commented from his profile), attacker's profile image will also load into the visitor's browser and it would automatically execute the injected JavaScript which in turn injects a hidden iframe with the address of the DDoSers C&C domain.

According to Incapsula, attackers are using a Ajax-script based DDoS tool, that force browser to issue a DDoS request at the rate of one request per second.

"Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length and with thousands of views every minute, the attack can quickly become very large and extremely dangerous." researchers explained.

So to make it a large scale DDoS attack, attacker strategically posted comments on the popular video pages, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.

Intercepting the Attack

The attack was blocked by Incapsula’s progressive challenges and behaviour-based security algorithms, made that much more effective by the predictable behaviour of the DDoS tool. "By intercepting the malicious requests, we were also able to trace back the attack’s source. We did this by replacing the content of the target URL with a snippet of our own JavaScript, which reported the original referral source – leading us to the abused video website. " they said,

Researchers also mentioned that attackers behind recent DDoS attack have upgraded their DDoS tool to a much more robust version. "This leads us to believe that what we saw yesterday was a sort of POC test run. " Incapsula quickly reached out to the vulnerable video website support team to patch the flaw.

source