Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Facebook Flaw Enabled Users to Launch Powerful DDoS Attacks

Facebook Patched Flaw That Could Be Exploited for DDoS Attacks

Facebook has fixed a vulnerability that could have been leveraged to amplify distributed denial-of-service (DDoS) attacks by using the company’s own datacenters.

Facebook Patched Flaw That Could Be Exploited for DDoS Attacks

Facebook has fixed a vulnerability that could have been leveraged to amplify distributed denial-of-service (DDoS) attacks by using the company’s own datacenters.

The issue was introduced in May when Facebook started allowing administrators to refresh the links that they share on their pages. Teofil Cojocariu, a researcher with the Cyber Security Research Center from Romania (CCSIR), found a way to exploit this feature to launch DDoS attacks that could have a big impact on smaller websites.

First, the attacker finds a large image on the targeted server or website. Then, a link to the said image is published on a Facebook page. The attacker refreshes the attachment by using the “Refresh share attachment” feature and captures the request. Some of the parameters from the request are inserted into a proof-of-concept script developed by the researcher.

Basically, this is an amplification attack in which the script is used to make a large number of small requests to Facebook, which in turn makes larger requests to the targeted website. In a theoretical example described by CCSIR, the attacker can use the script to make 10,000 requests of 1Kb to Facebook. If the image taken from the targeted website is 10Mb in size, the requests made by Facebook to the website generate 10,000 times 10Mb of traffic. At 10,000 such requests per second, the attack size would be roughly 100 Gbps.

In practice, the researcher managed to launch a 1Gbps attack by using this method.

“I have tried few times this script and the maximum bandwidth was 934.06 Mbps, but we should take into consideration that I sent the traffic to one of my server that has 1 Gbps port, so I think there is no limitation on output,” Cojocaru explained.

The issue was reported to Facebook on June 13 and by June 28 the company had made some changes to limit the attacks. CCSIR representatives told SecurityWeek that the initial limitations were high and the feature could still be exploited for smaller attacks. Later, Facebook took steps to ensure that such an attack can’t be larger than 600 Kbps.  

Advertisement. Scroll to continue reading.

Facebook has rewarded Cojocaru with $500 for his findings.

This isn’t the first time a researcher finds a way to leverage Facebook’s servers for DDoS attacks. In April, researcher Chaman Thapa found a similar way to abuse the social network’s servers for 900Mbps DDoS attacks. However, at the time Facebook said it couldn’t prevent such attacks against small consumer grade websites without significantly degrading overall functionality.

DDoS attacks continue to be problematic. In its trends report for the second quarter of 2014, Verisign revealed that the average peak size of such cyberattacks increased by 216% compared to the previous quarter, with 65% of attacks exceeding 1Gpbs. Furthermore, NTP floods continue to be the primary attack vector for large UDP floods, the company said.

Earlier this month, in a move to bolster the security of its massive global server network, Facebook announced that it was acquiring Palo Alto, California-based cybersecurity startup PrivateCore.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.