A new type of DDoS attack that abuses the HTML5 Ping-based hyperlink auditing feature has been detected following a major attack emanating from primarily Chinese-speaking mobile users of the QQBrowser.
Imperva researchers Vitaly Simonovich and Dima Bekerman monitored an attack that peaked at a massive 7,500 requests per second, and delivered more than 70 million requests over a four-hour period from around 4,000 user IPs. To put this in perspective, a similar mobile Android-based DDoS attack in 2016 achieved a peak of just 400 requests per second from 27,000 unique IPs.
The new approach uses the HTML5 ping attribute. This is used legitimately to track clicks on website links — albeit with some reservations from privacy activists who view it as a form of user tracking. ‘Ping=’ is included in normal online hyperlink code. When the link is clicked, the invisible ‘ping=’ url is sent a content variable that is also unseen by the user. Website admins can then monitor, or audit, how many visitors are sent from a particular link on a particular website.
Although the new attack primarily emanated from QQBrowser users, the technique could involve almost any browser. At this time, Firefox is one of the few browsers that have the ping attribute disabled by default. The Chrome 74 Beta build is removing the ability to disable hyperlink auditing, which means that after it is released (probably in May 2019), browsers using Chromium — such as Edge, Chrome, Opera, and Safari — will have hyperlink auditing permanently enabled.
The attack involved users innocently visiting a crafted web page with two external JavaScript files. One of these included an array containing URLs — the targets of the DDoS attack. In this instance, they seem to be primarily gaming websites. The second JS file had a function that randomly selected an URL from the array, created the <a> tag with a ‘ping’ attribute, and programmatically clicked the link every second.
The result was that for as long as the crafted website was open in the visitor’s browser, a hyperlink auditing ping was sent to the target. With 4,000 users involved, that would be a potential maximum of more than 14 million requests per hour.
Such an attack requires getting users to visit the crafted web page, and to leave it open in the browser for as long as possible. The researchers suggest one possible scenario — that could quite possibly have been used in this attack — would be to combine social engineering and malvertising. The attacker would inject a malicious advert into a legitimate website. The more popular the website, the greater the potential for a heavy DDoS. A link to the website with the malicious addvertisement would then also be posted to a large WeChat group chat.
Drive-by visitors and those sent from the WeChat chat group would then automatically and unknowingly start pinging the target URL — and would continue to do so at the rate of one every second that the poisoned tab is open in the browser.
Although this attack methodology has the potential to be used anywhere in the world against any target or targets in the world, there is a simple defense. “If you are not expecting or do not need to receive ping requests to your Web server,” suggest the researchers, “block any Web requests that contain ‘Ping-To’ and/or ‘Ping-From’ HTTP headers on the edge devices (Firewall, WAF, etc.). This will stop the ping requests from ever hitting your server.”
Related: Variant of Android WireX Bot Delivers Powerful UDP Flood Attacks
