By Vitaly Simonovich and Dima Bekerman
DDoS attacks have always been a major threat to network infrastructure and web applications.
Attackers are always creating new ways to exploit legitimate services for malicious purposes, forcing us to constantly research DDoS attacks in our CDN to build advanced mitigations.
We recently investigated a DDoS attack which was generated mainly from users in Asia. In this case, attackers used a common HTML5 attribute, the tag ping, to trick these users to unwittingly participate in a major DDoS attack that flooded one web site with approximately 70 million requests in four hours.
How They Did It
Ping is a command in HTML5 that specifies a list of URLs to be notified if the user follows a hyperlink. When the user clicks on the hyperlink, a POST request with the body “ping” will be sent to the URLs specified in the attribute. It will also include headers “Ping-From”, “Ping-To” and a “text/ping” content type.