while (1) …

Slashdot is reporting on a new method to launch DDoS attacks by way of having users visit a website which spams out HTTP requests by javascript. During the Anonymous Operation Payback attacks I saw someone had made a page with a self-refresh that acted as a proxy to perform multiple requests. This new idea is different as it uses JavaScript so it’s not actually a proxy (it executes entirely from the user’s computer). It uses the ‘Worker’ objects of javascript (not sure if this is standard or a mozilla extension) to work on multiple cores too, but I think in reality most people’s upstream bandwidth is going to be the limiting factor.

It’s interesting that we are seeing a gradual move towards javascript in pretty much everything from email clients to image editors, and now, DDoS tools. And it’s also so completely obvious that it’s amazing nobody’s thought of it before.

I can see this being a more effective way for people like Anonymous to enact a DDoS attack than the slightly clumsy way they currently do it. It is interesting to consider how quickly a URL can spread around twitter and facebook, which would be all that’s needed to create a DDoS capable ‘botnet’. It’s also much easier because of this to get people involved who might not really be sure what’s going on. They probably won’t stay on the page for more than 30 seconds but as long as they are coming and going at a constantish rate then they could still be contributing a lot.

Possible mitigation includes using Apache’s rewrite rules to send back a 403 based on referrers, but that could still get overwhelmed. I guess some firewalls can filter by HTTP referrer too.

Hopefully browsers will start to clamp down on JavaScript and monitor it a bit more closely. It’s obviously hard to look at a piece of source code and computationally determine what it does without actually executing it, but it’s certainly possible for a browser to monitor how many http requests a page is making per second and pause them if they look suspicious.

I like blogging

Posted in Uncategorized
One comment on “while (1) …
  1. C says:

    Peaceful end-of-year days and lovely, undisturbing presents.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: