Massive traffic attack: botnet-powered Layer 7 HTTP flood

News by Adrian Bridgwater

Previously 'only-theoretical' attack made real; impact consumes server resources to make websites implode

Content delivery network company CloudFlare has surfaced what appears to be an apparently very potent Distributed-Denial-of-Service (DDoS) attack. The specific occurrence is said to have involved mobile advertisements capable of generating around 275,000 HTTP requests per second.

The unnamed victim has subjected to what is known as a Layer 7 HTTP flood attack. Security specialists Sucuri explains this action as a type of DDoS attack made to overload specific parts of a site or server.

Possibly bot-boosted

According to Sucuri, “They are complex and they are hard to detect because the requests they send look like legitimate traffic. These requests consume the server's resources and make the site go down. Layer 7 HTTP flood attacks can also be sent by bots, increasing the attack's power.”

CloudFlare itself says that servers are constantly being targeted by DDoS attacks and that it typically sees everything from attempted DNS reflection attacks to L7 HTTP floods involving large botnets as a part of normal business.

Manhandling malicious JavaScript

Initial reports covering this story described it as a “once-theoretical attack” now turning up in the real world. CloudFlare employees have explained that malicious JavaScript embedded inside advertisements was used as the facilitating factor to help distribute the attack.

“In recent years, DDoS techniques have become more diversified: attackers are tricking unsuspecting computers into participating in attacks in new and interesting ways. This year, we're seeing a disturbing new trend: attackers are using malicious JavaScript to trick unsuspecting web users into participating in DDoS attacks,” blogs CloudFlare's Nick Sullivan

CloudFlare employee Marek Majkowski explained that the biggest difficulty involved with creating this kind of attack is not in creating the JavaScript – it is in effectively distributing it.

“Since an efficient distribution vector is crucial in issuing large floods, up until now I haven't seen many sizable browser-based floods,” said Majkowski.

Plausible distribution vector

The deduction here is that there is no way to know for sure why so many mobile devices visited the attack page in question. Because of this, the most plausible distribution vector seems to be an ad network. Users were probably served advertisements containing the malicious JavaScript which they subsequently clicked on.

Speaking to in connection with this story today was Dave Larson, CTO at Corero Network Security.  “What we are seeing here is the next evolution in DDoS attack techniques – taking advantage of a new vector to target and impact victims,” he said.

Larson continued, “DDoS attacks and the means of executing them are constantly evolving and the use of malicious JavaScript as a facilitating factor can be considered an emerging type of layer 7 attack. Similarly to the Imgur victim of social engineering parasitic DDoS vector making waves last week, this DDoS tool could be aimed at any victim on the Internet, at any time.”

“With significant DDoS threats emerging that leverage mobile devices it is incumbent on mobile operators to begin to deploy protection to address the problem within their networks,” he added.

This attack is an example of how automation is changing the face of cyber-attacks, says Adrian Crawley, Radware's regional director Northern Europe. “Anyone doubting this reality should consider that we've seen a more than 300 percent increase in organisations under constant cyber-attack, a sure indication that attacks now come from tireless machines,” he said.

“For those wondering how the security community should respond, the answer may well be a ‘if you can't beat them, join them' approach where the same degree of automation is implemented into security management,” he added.

“We've reached a ‘my good bot against your bad bot' state in security.”

Transactional tremors

News of this DDoS attack comes on the back of a new cyber security survey which suggests that an overwhelming majority of cyber-security experts (87 percent) believe that mobile payment-related data breaches will increase over the next 12 months. The 2015 Mobile Payment Security Study was conducted by ISACA and summary findings are available at this link


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews