Incapsula firm discovered the exploitation of a persistent XSS vulnerability in one of the world most popular website to run a large scale DDoS attack.
Recently Cloud-based security service provider Incapsula detectedan application layer DDoS attack conducted hijacking a huge volume of traffic to victims website. The website of Incapsula customer was flooded by a DDoS attack, over 20 million GET requests from the browsers of over 22,000 machines targeted the website. The attack was characterized by the exploitation of a persistent XSS vulnerability in one of the world’s largest and most popular high profile video content provider. According to Incapsula, attackers are using an Ajax-script based DDoS tool, that exploits the victim’s browser to run a DDoS request at the rate of one request per second.
“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”
“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length and with thousands of views every minute, the attack can quickly become very large and extremely dangerous.” researchers explained.
In time I’m writing Incapsula hasn’t revealed the name of vulnerable, it is only known that it allows its users to sign-up and sign-in with their own profiles.
Resuming, to launch a large scale DDoS attack, attackers strategically post comments on the popular video pages, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch their favorite videos. The detection of the attack was possible due the behaviour-based security algorithms:
Last consideration on the attack is that experts believe that attackers are renting their DDoS attack as service due the following observation:
- the initial code targeted several unrelated sites
- in a span of 24hr the targets were changed, some more than once
- the updated CnC code collected statistical data that looked like it was meant to be used for billing (duration, number of participants)