Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic.
“Obviously one request per second is not a lot,” Incapsula researchers Ronen Atias and Ofer Gayer wrote. “However, when dealing with video content of 10, 20, and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”
Remember the Samy Worm?
The attack is only the latest to harness the tremendous power of XSS vulnerabilities. The technique came into vogue in 2005 with the advent of the Samy worm. Named after its creator, a hacker named Samy Kamkar, the XSS exploit knocked MySpace out of commission for a day by forcing anyone who viewed his profile to become a MySpace friend. In less than 24 hours, Kamkar, who later served time in jail for the stunt, gained more than one million followers.
Last year, Johansen and other colleagues from Whitehat Security demonstrated a proof-of-concept ad network that created a browser-based botnet using a technique that’s similar to the one Incapsula observed exploiting the XSS weakness.
Incapsula’s discovery comes three months after criminals were observed using another novel technique to drastically amplify the volume of DDoS attacks on online game services and other websites. Rather than directly flooding the targeted services with torrents of data, an attack groupsent much smaller sized data requests to time-synchronization servers running the Network Time Protocol. By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly increase the firepower at their disposal. The technique abusing the Network Time Protocol can result in as much as a 58-fold increase or more. Miscreants have long exploited unsecured domain name system servers available online to similarly amplify the amount of junk traffic available in DDoS attacks.
Incapsula’s finding underscores the constantly evolving nature of online attacks. It also demonstrates how a single weakness on one party’s website can have powerful consequences for the Internet at large, even for those who don’t visit or otherwise interact with the buggy application.