DDoS Attacks using Ad networks
Image Credits: Cloudflare.com

Unlike PCs and Large networks, mobile phones lack adequate security generally. This may lead to mobile devices being compromised by malware easily which makes them a major source of targeted DDoS attacks against sensitive resources. Earlier last year a report from the firm Prolexic suggests that they may also be taking part in massive denial of service (DoS) attacks against enterprise networks.

Yes, Now It Happens In Reality!

Recently researchers at CloudFlare spotted a distributed denial-of-service (DDoS) attack that used mobile browsers to cripple sites with 4.5 billion requests. As per CloudFare the attack was recorded in late August and targeted one of their customer based in China. The browser-based Layer 7 flood peaked at 275,000 HTTP request per second and was issued by 650,000 unique IPs.

Popular Browsers Leveraged

Almost all traffic had its origin in china and  80 percent came from mobile devices. Mobile versions of the Xiaomi's MIUI browser, Safari, Chrome, and Tencent's QQBrowser were used in the attack.

"Strings like 'iThunder' might indicate the request came from a mobile app. Others like 'MetaSr', 'F1Browser', 'QQBrowser', '2345Explorer', and 'UCBrowser' point towards browsers or browser apps popular in China," reads the blog.

Ad Network Serving Malicious Javascript is the distribution Vector 

According to researchers, the attack was carried out through ad network with some javascript distribution vector.  The malicious ads were likely shown in iframes in mobile apps or mobile browsers to unsuspecting victims that were browsing the internet. However, TCP injection was not used.

Attack Methodology.

According to CloudFlare, the attack involved the following steps.
  • A user was casually browsing the Internet or opened an app on the smartphone.
  • The user was served an iframe with an advertisement.
  • The advertisement content was requested from an ad network.
  • The ad network forwarded the request to the third-party that won the ad auction.
  • Either the third-party website was the "attack page", or it forwarded the user to an "attack page".
  • The user was served an attack page containing a malicious JavaScript which launched a flood of XHR requests against CloudFlare servers.

Attacks like this form a new trend. They present a great danger on the internet defending against this type of flood is not easy for small website operators. CloudFlare expressed confidence that they can handle such attacks easily without affecting its customers. 

Source: https://blog.cloudflare.com/mobile-ad-networks-as-ddos-vectors/
Image : cloudflare

Post a Comment