- Oct 23, 2012
- 12,527
The attack originated and used Chinese mobile users
CloudFare's administrators are reporting on a DDoS attack which was detected against their infrastructure that involved an advertising network and unsuspecting users visiting random websites where malicious ads were being shown.
The attack was only a few hours long but managed to reach a peak volume of 275,000 HTTP requests per second. The company is also reporting they successfully mitigated the attack without any downtime to the target.
As CloudFare reports, they speculate that this was a new type of DDoS, one that used ad networks and unsuspecting users.
CloudFare's administrators are reporting on a DDoS attack which was detected against their infrastructure that involved an advertising network and unsuspecting users visiting random websites where malicious ads were being shown.
The attack was only a few hours long but managed to reach a peak volume of 275,000 HTTP requests per second. The company is also reporting they successfully mitigated the attack without any downtime to the target.
As CloudFare reports, they speculate that this was a new type of DDoS, one that used ad networks and unsuspecting users.
The attack funneled real traffic from real persons
According to the company's researchers, they suspect random users navigating the Web from their desktop or mobile browsers were served an iframe which contained an ad.
The iframe requested the ad's content from the advertising network, which in turn requested the ad's content from the servers of the person who won that particular ad placement bid.
Unknown to the user and the ad network, the winner of the bid (attacker) served a malicious ad which contained JavaScript code that launched a XHR (Ajax) request aimed at the victim (in this case, a website hosted on the CloudFare infrastructure).
The attack originated from China
The attack was very innovative in its approach, and according to CloudFare didn't involve TCP packet injection, looking like real day-to-day traffic.
After analyzing millions of log lines, CloudFare says that 99.8% of the traffic came from Chinese IP addresses. The attackers may also be from the same country, mainly because of comments left in the malicious JavaScript, which were also in Chinese.
72% of the users used a mobile device, 23% used a desktop browser, while 5% of users were surfing the web from their tablet. Additionally, a lot of user agent strings also contained data hinting the traffic came from mobile apps, not necessarily Web browsers.