Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to use HTML5 tags to attack DDoS". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

New DDoS attack technology

In this attack, the peak of DDoS attack requests reached 7500 requests per second, and the attacker used more than 4000 different users to send more than 70 million malicious requests to the target in about 4 hours.

Imperva researchers pointed out in their security analysis report: "We conducted an in-depth analysis of this DDoS attack and found that most of the attack traffic involved in the attack came from Asia. Moreover, attackers mainly use the commonly used HTML5 attribute, that is, the ping attribute in the tag, so as to deceive users into participating in the attacker's DDoS attacks without their knowledge. The entire attack lasted about four hours and successfully sent about 70 million malicious requests to the target. "

The researchers also said that in this attack, the attackers did not exploit any security vulnerabilities, but converted legitimate HTML5 functions into their attack tools. It is worth mentioning that almost all the users who "participated" in this attack are QQ Browser's users, and almost all of the users of this browser are our own.

After analyzing the logs, the experts found that all malicious requests included the HTTP headers "Ping-From" and "Ping-To". This is the first time that an attacker has been found to use the Ping attribute of the tag to carry out a DDoS attack.

Ping attribute

In the attack activity, the values of "Ping-From" and "Ping-To" refer to the URL address "http://booc[.]gz[.]bcebos[.]com/you[.]html"".

Moreover, the User-Agent in the request is related to a chat App- Wechat that we use every day.

Experts believe that the attacker used social work technology and malicious advertising to trick Wechat users into opening the default browser. Here are the attack scenarios described by security experts:

1. Attackers build phishing sites and inject malicious advertisements.

2. Inject ads into iframe and associate them with legitimate websites, and then send them to WeChat groups.

3. After a legitimate user visits the site, malicious JavaScript code will be executed and a "Ping" attribute will be created for the link clicked by the user.

4. After creation, a HTTP Ping request will be generated and sent to the target domain name through the browser of the legitimate user.

Experts also said that in addition to QQ Browser, many browsers will be affected by this new DDoS attack technology. The good news, though, is that Firefox disables the Ping attribute by default.

Simple analysis

When building a malicious website, the attacker uses two external JavaScript files, one of which contains an array of URL addresses of DDoS targets, and the other JS file is mainly used to randomly select a URL address from the address array, create a tag with the Ping attribute, and then access the target address once a second through code.

As long as users keep browsing or staying on this page, their devices will keep sending Ping requests to the target site. The researchers say that if the site has 4000 users, it can generate about 14 million malicious requests per hour.

Response plan

If your Web server does not want or need to receive Ping requests from outside, you can block any Web requests containing "Ping-To" or "Ping-From" HTTP headers on edge devices (firewalls, WAF, etc.) so that you can resist this attack.

This is the end of "how to use HTML5 tags for DDoS attacks". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.