Javascript DDoS Tool Analysis - SANS Internet Storm Center

Javascript DDoS Tool Analysis
Last week's denial of service attack agains the Department of Justice (justice.gov), the FBI (fbi.gov) and other sites didn't just rely on Anonymous's favorite tool Low Orbit Ion Canon. Instead, a new method was employed to recruit denial of service clients. The new method uses some pretty simple javascript to launch the attack. The folowers are usually requested to visit a particular web page. The page includes a simple form to adjust the denial of service attack parameters but just launches the attack with default parameters as the page is opened in the browser. IMPORTANT: The script will start running as soon as the user vists the page. You do not have to press the "fire" button. Javascript code retrieving the parameters: var fireInterval; var isFiring = false; var currentTime = new Date() var lastSuccess = currentTime.getTime(); var requestedCtrNode = document.getElementById("requestedCtr"), succeededCtrNode = document.getElementById("succeededCtr"), failedCtrNode = document.getElementById("failedCtr"), targetURLNode = document.getElementById("targetURL") ... an unused part of the code hints at plans to implement a hash table, likely to exploit the recently discussed hashtable denial of service vulnerability var requestsHT = {}; // requests hash table, may come in handy later Originally, I figured the attack may take advantage of XMLHTTPRequest. Instead, the code takes a simpler route. It just changes an image URL to a URL on the attacked page. I suspect that this method is more reliable as it does not require the client to implement XMLHTTPrequest Level 2 or XDomainrequest but should work with pretty much any client. It will not necessarily retrieve an actual image, but just whatever URL was targeted, followed by an "id" parameter and a "msg" (which is also set by the user). This format should make it pretty easy to filter the attacks at a web application firewall. Even other content sensitive firewalls should be able to deal with this. Sample weblog: GET /?id=1327271393334&msg=No%20A%20la%20CENSURA%20EN%20INTERNET%A1%A1%A1 HTTP/1.1" 200 8395 In order to prevent crashing the browser, the script will limit the number of outstanding requests. The script attempts to send 5,000 requests per second. I tested it directing my requests to a lab web server across a pretty slow VPN connection. It managed to create about 5 requests per second. The referer for the request will be the URL of the attack page. The user's user agent is not altered. Update: Spiderlabs did a nice analysis of this tool, including other "LOIC" variants just about a year ago: blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019	Johannes 3631 Posts ISC Handler
Subscribe	Jan 22nd 2012 7 years ago
Nice summary, thanks for the details. In the last paragraph you had mentioned that the script attempts 5000 reqs/s whereas only 5 reqs/s only materialized. Did they drop others due to bandwidth or any other issues?	Anonymous
Quote	Jan 23rd 2012 7 years ago
This sounds like something I wrote about in 2002: http://hawksoft.com/articles/leech/leech21.shtml	Anonymous
Quote	Jan 23rd 2012 7 years ago
So all you need to do now is wrap it up as ad and get it displayed on some major sites with a large amount of visitors. I presume unless AV can detect the script the only defence is running noscript etc in the browser.	W60 14 Posts
Quote	Jan 24th 2012 7 years ago
Yes, the only real defense is to disable JavaScript, but too many sites require it for basic use. I use NoScript in Firefox and only allow sites I trust or MUST use like my banking. On the issue of detection: Because the JavaScript can be dynamically generated, and the code can be regularly changing, it would be difficult to detect and block it.	W60 4 Posts
Quote	Jan 24th 2012 7 years ago

Last week's denial of service attack agains the Department of Justice (justice.gov), the FBI (fbi.gov) and other sites didn't just rely on Anonymous's favorite tool Low Orbit Ion Canon. Instead, a new method was employed to recruit denial of service clients.

The new method uses some pretty simple javascript to launch the attack. The folowers are usually requested to visit a particular web page. The page includes a simple form to adjust the denial of service attack parameters but just launches the attack with default parameters as the page is opened in the browser.

IMPORTANT: The script will start running as soon as the user vists the page. You do not have to press the "fire" button.

Javascript code retrieving the parameters:

var fireInterval;
var isFiring = false;
var currentTime = new Date()
var lastSuccess = currentTime.getTime();
var requestedCtrNode = document.getElementById("requestedCtr"),
succeededCtrNode = document.getElementById("succeededCtr"),
failedCtrNode = document.getElementById("failedCtr"),
targetURLNode = document.getElementById("targetURL")
...

an unused part of the code hints at plans to implement a hash table, likely to exploit the recently discussed hashtable denial of service vulnerability

var requestsHT = {}; // requests hash table, may come in handy later

Originally, I figured the attack may take advantage of XMLHTTPRequest. Instead, the code takes a simpler route. It just changes an image URL to a URL on the attacked page. I suspect that this method is more reliable as it does not require the client to implement XMLHTTPrequest Level 2 or XDomainrequest but should work with pretty much any client.

It will not necessarily retrieve an actual image, but just whatever URL was targeted, followed by an "id" parameter and a "msg" (which is also set by the user). This format should make it pretty easy to filter the attacks at a web application firewall. Even other content sensitive firewalls should be able to deal with this.

Sample weblog:

GET /?id=1327271393334&msg=No%20A%20la%20CENSURA%20EN%20INTERNET%A1%A1%A1 
 HTTP/1.1" 200 8395

In order to prevent crashing the browser, the script will limit the number of outstanding requests. The script attempts to send 5,000 requests per second. I tested it directing my requests to a lab web server across a pretty slow VPN connection. It managed to create about 5 requests per second. The referer for the request will be the URL of the attack page. The user's user agent is not altered.

Update: Spiderlabs did a nice analysis of this tool, including other "LOIC" variants just about a year ago: blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3631 Posts
ISC Handler

Nice summary, thanks for the details. In the last paragraph you had mentioned that the script attempts 5000 reqs/s whereas only 5 reqs/s only materialized. Did they drop others due to bandwidth or any other issues?

Anonymous

This sounds like something I wrote about in 2002: http://hawksoft.com/articles/leech/leech21.shtml

Anonymous

So all you need to do now is wrap it up as ad and get it displayed on some major sites with a large amount of visitors. I presume unless AV can detect the script the only defence is running noscript etc in the browser.

W60

14 Posts

Yes, the only real defense is to disable JavaScript, but too many sites require it for basic use. I use NoScript in Firefox and only allow sites I trust or MUST use like my banking.

On the issue of detection: Because the JavaScript can be dynamically generated, and the code can be regularly changing, it would be difficult to detect and block it.

W60
4 Posts