Facebook Patched Flaw That Could Be Exploited for DDoS Attacks
Facebook has fixed a vulnerability that could have been leveraged to amplify distributed denial-of-service (DDoS) attacks by using the company’s own datacenters.
The issue was introduced in May when Facebook started allowing administrators to refresh the links that they share on their pages. Teofil Cojocariu, a researcher with the Cyber Security Research Center from Romania (CCSIR), found a way to exploit this feature to launch DDoS attacks that could have a big impact on smaller websites.
First, the attacker finds a large image on the targeted server or website. Then, a link to the said image is published on a Facebook page. The attacker refreshes the attachment by using the “Refresh share attachment” feature and captures the request. Some of the parameters from the request are inserted into a proof-of-concept script developed by the researcher.
Basically, this is an amplification attack in which the script is used to make a large number of small requests to Facebook, which in turn makes larger requests to the targeted website. In a theoretical example described by CCSIR, the attacker can use the script to make 10,000 requests of 1Kb to Facebook. If the image taken from the targeted website is 10Mb in size, the requests made by Facebook to the website generate 10,000 times 10Mb of traffic. At 10,000 such requests per second, the attack size would be roughly 100 Gbps.
In practice, the researcher managed to launch a 1Gbps attack by using this method.
“I have tried few times this script and the maximum bandwidth was 934.06 Mbps, but we should take into consideration that I sent the traffic to one of my server that has 1 Gbps port, so I think there is no limitation on output,” Cojocaru explained.
The issue was reported to Facebook on June 13 and by June 28 the company had made some changes to limit the attacks. CCSIR representatives told SecurityWeek that the initial limitations were high and the feature could still be exploited for smaller attacks. Later, Facebook took steps to ensure that such an attack can’t be larger than 600 Kbps.
Facebook has rewarded Cojocaru with $500 for his findings.
This isn’t the first time a researcher finds a way to leverage Facebook’s servers for DDoS attacks. In April, researcher Chaman Thapa found a similar way to abuse the social network’s servers for 900Mbps DDoS attacks. However, at the time Facebook said it couldn’t prevent such attacks against small consumer grade websites without significantly degrading overall functionality.
DDoS attacks continue to be problematic. In its trends report for the second quarter of 2014, Verisign revealed that the average peak size of such cyberattacks increased by 216% compared to the previous quarter, with 65% of attacks exceeding 1Gpbs. Furthermore, NTP floods continue to be the primary attack vector for large UDP floods, the company said.
Earlier this month, in a move to bolster the security of its massive global server network, Facebook announced that it was acquiring Palo Alto, California-based cybersecurity startup PrivateCore.
