Now Reading
Ad Networks Possibly used to launch massive DDoS Attacks

Ad Networks Possibly used to launch massive DDoS Attacks

by Ali RazaOctober 1, 2015

CloudFlare recently revealed that they were hit with a massive DDoS attack. A large number of HTTP requests originated from one of their customers. The extent of requests received indicates the possibility of Mobile Ad Networks being used for this nefarious purpose, CloudFlare reports.

In a case study that originated from an attack they faced, CloudFlare reveals that a new trend in the field of DDoS could be afoot. The usage of Mobile Ad Networks to cause massive DDoS attacks has been postulated by CloudFlare.

On analysing the request and the attack package, they could conclude that the request contained legitimate headers which were made by a real browser. The Origin header in the code was issued by an Ajax (XHR) cross origin call and the Referrer URL was correct.

Creation of malicious JavaScripts is not as difficult as the distribution of it. But the flood of requests related with this attack was considerably larger than ever seen before as the request flood peaked at more than 275,000 HTTP requests per second.

On analysing the attack code further, it was determined that the user was directed to an attack page using a series of URLs. The JavaScript code was not as sophisticated as they had believed it to be, but it proved to be quite effective.

It was found that around 80% of the requests originated from mobiles, with almost all of the requests originating from China. The widespread use of mobile phones in this attack led to the conclusion that perhaps the ad networks of mobiles had been used as the distribution vector for this DDoS.

cloudflare ad network DDOS Stats

The case study by CloudFlare jots down a possible sequence of how the attack was carried out:

  • A casual mobile user opens an app or was browsing the internet.
  • An advertisement iframe was served to the user.
  • The content of the advertisement was requested from an ad network.
  • The request was forwarded by the ad network to the third party that won the ad auction.
  • The third party was either the attack page itself or was used to direct the user to the attack page.
  • Attack page containing malicious JavaScript was served to the user. This JavaScript was used to launch the flood of XHR requests against the servers of CloudFlare.

Since ad networks piping adverts to people run live auctions, it is quite possible that cyber criminals enter such auctions, bid the highest, and then distribute their malicious code to a huge number of users. This shows a new trend that could be emerging in the field of DDoS.

The attack, as witnessed by CloudFlare, can be quite massive, and could be disastrous for a relatively small website that does not have the resources to counter it.

Images from Flickr and CloudFlare.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • MHOrtiz

    Find and Replace: “CloudFare” Replace With: “CloudFlare”

    • Alfred

      I think the substance of this article was more important that a spelling mistake in this instance (and trust me… I am a grammar nazi!).

      • MHOrtiz

        I didn’t say anything about the substance of the article. However, it is very unprofessional to repeatedly misspell (in every single instance) the name of the company that is the main subject. I was commenting for their own good so they would no longer look bad, but it doesn’t look like it worked…

        • CryptoCoinsNews

          Thanks for the notice, changed now.