Mobile Ad Network Used in DDoS Attack

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
The attack originated and used Chinese mobile users
CloudFare's administrators are reporting on a DDoS attack which was detected against their infrastructure that involved an advertising network and unsuspecting users visiting random websites where malicious ads were being shown.

The attack was only a few hours long but managed to reach a peak volume of 275,000 HTTP requests per second. The company is also reporting they successfully mitigated the attack without any downtime to the target.

As CloudFare reports, they speculate that this was a new type of DDoS, one that used ad networks and unsuspecting users.

The attack funneled real traffic from real persons
According to the company's researchers, they suspect random users navigating the Web from their desktop or mobile browsers were served an iframe which contained an ad.

The iframe requested the ad's content from the advertising network, which in turn requested the ad's content from the servers of the person who won that particular ad placement bid.

Unknown to the user and the ad network, the winner of the bid (attacker) served a malicious ad which contained JavaScript code that launched a XHR (Ajax) request aimed at the victim (in this case, a website hosted on the CloudFare infrastructure).

The attack originated from China
The attack was very innovative in its approach, and according to CloudFare didn't involve TCP packet injection, looking like real day-to-day traffic.

After analyzing millions of log lines, CloudFare says that 99.8% of the traffic came from Chinese IP addresses. The attackers may also be from the same country, mainly because of comments left in the malicious JavaScript, which were also in Chinese.

72% of the users used a mobile device, 23% used a desktop browser, while 5% of users were surfing the web from their tablet. Additionally, a lot of user agent strings also contained data hinting the traffic came from mobile apps, not necessarily Web browsers.
 
  • Like
Reactions: ZeroAttack
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top