Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Facebook Flaw Enabled Users to Launch Powerful DDoS Attacks

Facebook Patched Flaw That Could Be Exploited for DDoS Attacks

Facebook has fixed a vulnerability that could have been leveraged to amplify distributed denial-of-service (DDoS) attacks by using the company’s own datacenters.

Facebook Patched Flaw That Could Be Exploited for DDoS Attacks

Facebook has fixed a vulnerability that could have been leveraged to amplify distributed denial-of-service (DDoS) attacks by using the company’s own datacenters.

The issue was introduced in May when Facebook started allowing administrators to refresh the links that they share on their pages. Teofil Cojocariu, a researcher with the Cyber Security Research Center from Romania (CCSIR), found a way to exploit this feature to launch DDoS attacks that could have a big impact on smaller websites.

First, the attacker finds a large image on the targeted server or website. Then, a link to the said image is published on a Facebook page. The attacker refreshes the attachment by using the “Refresh share attachment” feature and captures the request. Some of the parameters from the request are inserted into a proof-of-concept script developed by the researcher.

Basically, this is an amplification attack in which the script is used to make a large number of small requests to Facebook, which in turn makes larger requests to the targeted website. In a theoretical example described by CCSIR, the attacker can use the script to make 10,000 requests of 1Kb to Facebook. If the image taken from the targeted website is 10Mb in size, the requests made by Facebook to the website generate 10,000 times 10Mb of traffic. At 10,000 such requests per second, the attack size would be roughly 100 Gbps.

In practice, the researcher managed to launch a 1Gbps attack by using this method.

“I have tried few times this script and the maximum bandwidth was 934.06 Mbps, but we should take into consideration that I sent the traffic to one of my server that has 1 Gbps port, so I think there is no limitation on output,” Cojocaru explained.

The issue was reported to Facebook on June 13 and by June 28 the company had made some changes to limit the attacks. CCSIR representatives told SecurityWeek that the initial limitations were high and the feature could still be exploited for smaller attacks. Later, Facebook took steps to ensure that such an attack can’t be larger than 600 Kbps.  

Facebook has rewarded Cojocaru with $500 for his findings.

This isn’t the first time a researcher finds a way to leverage Facebook’s servers for DDoS attacks. In April, researcher Chaman Thapa found a similar way to abuse the social network’s servers for 900Mbps DDoS attacks. However, at the time Facebook said it couldn’t prevent such attacks against small consumer grade websites without significantly degrading overall functionality.

DDoS attacks continue to be problematic. In its trends report for the second quarter of 2014, Verisign revealed that the average peak size of such cyberattacks increased by 216% compared to the previous quarter, with 65% of attacks exceeding 1Gpbs. Furthermore, NTP floods continue to be the primary attack vector for large UDP floods, the company said.

Earlier this month, in a move to bolster the security of its massive global server network, Facebook announced that it was acquiring Palo Alto, California-based cybersecurity startup PrivateCore.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.