So to make it a large scale DDoS attack, attacker strategically posted comments on the popular videos pages, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.
An application layer or ‘layer 7’ distributed denial of service DDoS attacks is one of the most complicated web attack that disguised to look like legitimate traffic but targets specific areas of a website, making it even more difficult to detect and mitigate.
Just Yesterday Cloud-based security service provider ‘Incapsula‘ detected a unique application layer DDoS attack, carried out using traffic hijacking techniques. DDoS attack flooded on of their client with over 20 million GET requests, originating from browsers of over 22,000 Internet users.
What makes this case especially interesting is the fact that the attack was enabled by persistent XSS vulnerability in one of the world’s largest and most popular site – one of the domains on Alexa’s “Top 50” list.
XSS vulnerability to Large-Scale DDoS Attack
According to Incapsula, attackers are using a Ajax-script based DDoS tool, that force browser to issue a DDoS request at a rate of one request per second.
“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length and with thousands of views every minute, the attack can quickly become very large and extremely dangerous.” researchers explained.
Intercepting the Attack
Researchers also mentioned that attackers behind recent DDoS attack have upgraded their DDoS tool to a much more robust version. “This leads us to believe that what we saw yesterday was a sort of POC test run. ” Incapsula quickly reached out to the vulnerable video website support team to patch the flaw.