Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Large-scale DDoS Attack Abuses HTML’s Hyperlink Audit Ping Facility

A new type of DDoS attack that abuses the HTML5 Ping-based hyperlink auditing feature has been detected following a major attack emanating from primarily Chinese-speaking mobile users of the QQBrowser.

A new type of DDoS attack that abuses the HTML5 Ping-based hyperlink auditing feature has been detected following a major attack emanating from primarily Chinese-speaking mobile users of the QQBrowser.

Imperva researchers Vitaly Simonovich and Dima Bekerman monitored an attack that peaked at a massive 7,500 requests per second, and delivered more than 70 million requests over a four-hour period from around 4,000 user IPs. To put this in perspective, a similar mobile Android-based DDoS attack in 2016 achieved a peak of just 400 requests per second from 27,000 unique IPs.

The new approach uses the HTML5 ping attribute. This is used legitimately to track clicks on website links — albeit with some reservations from privacy activists who view it as a form of user tracking. ‘Ping=’ is included in normal online hyperlink code. When the link is clicked, the invisible ‘ping=’ url is sent a content variable that is also unseen by the user. Website admins can then monitor, or audit, how many visitors are sent from a particular link on a particular website.

Although the new attack primarily emanated from QQBrowser users, the technique could involve almost any browser. At this time, Firefox is one of the few browsers that have the ping attribute disabled by default. The Chrome 74 Beta build is removing the ability to disable hyperlink auditing, which means that after it is released (probably in May 2019), browsers using Chromium — such as Edge, Chrome, Opera, and Safari — will have hyperlink auditing permanently enabled.

The attack involved users innocently visiting a crafted web page with two external JavaScript files. One of these included an array containing URLs — the targets of the DDoS attack. In this instance, they seem to be primarily gaming websites. The second JS file had a function that randomly selected an URL from the array, created the <a> tag with a ‘ping’ attribute, and programmatically clicked the link every second.

The result was that for as long as the crafted website was open in the visitor’s browser, a hyperlink auditing ping was sent to the target. With 4,000 users involved, that would be a potential maximum of more than 14 million requests per hour.

Such an attack requires getting users to visit the crafted web page, and to leave it open in the browser for as long as possible. The researchers suggest one possible scenario — that could quite possibly have been used in this attack — would be to combine social engineering and malvertising. The attacker would inject a malicious advert into a legitimate website. The more popular the website, the greater the potential for a heavy DDoS. A link to the website with the malicious addvertisement would then also be posted to a large WeChat group chat.

Drive-by visitors and those sent from the WeChat chat group would then automatically and unknowingly start pinging the target URL — and would continue to do so at the rate of one every second that the poisoned tab is open in the browser. 

Although this attack methodology has the potential to be used anywhere in the world against any target or targets in the world, there is a simple defense. “If you are not expecting or do not need to receive ping requests to your Web server,” suggest the researchers, “block any Web requests that contain ‘Ping-To’ and/or ‘Ping-From’ HTTP headers on the edge devices (Firewall, WAF, etc.). This will stop the ping requests from ever hitting your server.”

Related: Variant of Android WireX Bot Delivers Powerful UDP Flood Attacks 

Related: Authorities Track Down Users of DDoS Services 

Related: DDoS-for-Hire Service Admin Pleads Guilty 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...