Last week's denial of service attack agains the Department of Justice (justice.gov), the FBI (fbi.gov) and other sites didn't just rely on Anonymous's favorite tool Low Orbit Ion Canon. Instead, a new method was employed to recruit denial of service clients. The new method uses some pretty simple javascript to launch the attack. The folowers are usually requested to visit a particular web page. The page includes a simple form to adjust the denial of service attack parameters but just launches the attack with default parameters as the page is opened in the browser. IMPORTANT: The script will start running as soon as the user vists the page. You do not have to press the "fire" button. Javascript code retrieving the parameters: var fireInterval; var isFiring = false; var currentTime = new Date() var lastSuccess = currentTime.getTime(); var requestedCtrNode = document.getElementById("requestedCtr"), succeededCtrNode = document.getElementById("succeededCtr"), failedCtrNode = document.getElementById("failedCtr"), targetURLNode = document.getElementById("targetURL") ... an unused part of the code hints at plans to implement a hash table, likely to exploit the recently discussed hashtable denial of service vulnerability var requestsHT = {}; // requests hash table, may come in handy later Originally, I figured the attack may take advantage of XMLHTTPRequest. Instead, the code takes a simpler route. It just changes an image URL to a URL on the attacked page. I suspect that this method is more reliable as it does not require the client to implement XMLHTTPrequest Level 2 or XDomainrequest but should work with pretty much any client. It will not necessarily retrieve an actual image, but just whatever URL was targeted, followed by an "id" parameter and a "msg" (which is also set by the user). This format should make it pretty easy to filter the attacks at a web application firewall. Even other content sensitive firewalls should be able to deal with this. Sample weblog: GET /?id=1327271393334&msg=No%20A%20la%20CENSURA%20EN%20INTERNET%A1%A1%A1 HTTP/1.1" 200 8395 In order to prevent crashing the browser, the script will limit the number of outstanding requests. The script attempts to send 5,000 requests per second. I tested it directing my requests to a lab web server across a pretty slow VPN connection. It managed to create about 5 requests per second. The referer for the request will be the URL of the attack page. The user's user agent is not altered. Update: Spiderlabs did a nice analysis of this tool, including other "LOIC" variants just about a year ago: blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html ------ |
Johannes 3693 Posts ISC Handler |
Subscribe |
Jan 22nd 2012 7 years ago |
Nice summary, thanks for the details. In the last paragraph you had mentioned that the script attempts 5000 reqs/s whereas only 5 reqs/s only materialized. Did they drop others due to bandwidth or any other issues?
|
Anonymous |
Quote |
Jan 23rd 2012 7 years ago |
This sounds like something I wrote about in 2002: http://hawksoft.com/articles/leech/leech21.shtml
|
Anonymous |
Quote |
Jan 23rd 2012 7 years ago |
So all you need to do now is wrap it up as ad and get it displayed on some major sites with a large amount of visitors. I presume unless AV can detect the script the only defence is running noscript etc in the browser.
|
W60 14 Posts |
Quote |
Jan 24th 2012 7 years ago |
Yes, the only real defense is to disable JavaScript, but too many sites require it for basic use. I use NoScript in Firefox and only allow sites I trust or MUST use like my banking.
On the issue of detection: Because the JavaScript can be dynamically generated, and the code can be regularly changing, it would be difficult to detect and block it. |
W60 4 Posts |
Quote |
Jan 24th 2012 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!