Experts at Imperva discovered a new type of large-scale DDoS attack that abuses the HTML5 Ping-based hyperlink auditing feature.

Experts at Imperva Vitaly Simonovich and Dima Bekerman observed a large-scale DDoS attack abusing the HTML5 Ping-based hyperlink auditing feature.

The DDoS attack peaked at a massive 7,500 requests per second and delivered more than 70 million requests over a four-hour period from around 4,000 user IPs.

“We recently investigated a DDoS attack which was generated mainly from users in Asia. In this case, attackers used a common HTML5 attribute, the <a> tag ping, to trick these users to unwittingly participate in a major DDoS attack that flooded one web site with approximately 70 million requests in four hours.” reads the analysis published by Imperva.

“Rather than a vulnerability, the attack relied on turning a legitimate feature into an attack tool. Also, almost all of the users enlisted in the attack were mobile users of the QQBrowser developed by the Chinese tech giant Tencent and used almost exclusively by Chinese speakers.”

Analyzing the logs, experts noticed that all the malicious requests contained the HTTP Headers “Ping-From” and “Ping-To”. This was the first case of a DDoS attack using the <a> tag ping attribute.

Both Ping-Form and Ping-To values referred to the “http://booc[.]gz[.]bcebos[.]com/you[.]html” URL.

The User-Agent in the requests is associated with the popular Chinese chat app, WeChat that uses a default mobile browser to open links in messages. QQBrowser is very popular in China, it is the default browser for many Chinese users.

Experts believe that attackers used a mix of social engineering combined with malvertising to trick WeChat users into opening the browser. Below the possible scenario described by the experts:

The attacker injects malicious advertising that loads a suspected website Link to the legitimate website with the malicious ad in an iframe is posted to a large WeChat group chat Legitimate users visit the website with the malicious ad JavaScript code executes, creating a link with the “ping” attribute that the user clicks on An HTTP ping request is generated and sent to the target domain from the legitimate user’s browser

Anyway, the new DDoS attack technique could involve almost any browser, experts pointed out that Firefox has the ping attribute disabled by default.

Attackers set up a crafted web page with two external JavaScript files, one of these included an array containing URLs representing the targets of the DDoS attack. The second JS file was used to randomly selected an URL from the array, create the <a> tag with a ‘ping’ attribute, and programmatically click the link every second.

As long as the user remains on the crafted website, a hyperlink auditing ping was sent to the target website. Experts explained that 4,000 users visiting a crafted website would potentially generate more than 14 million requests per hour.

“If you are not expecting or do not need to receive ping requests to your Web server, block any Web requests that contain “Ping-To” and/or “Ping-From” HTTP headers on the edge devices (Firewall, WAF, etc.). This will stop the ping requests from ever hitting your server. (Note: Imperva DDoS Protection is already updated to prevent ping functionality abuse targeted at your sites.)” conclude the expert.

“Application DDoS attacks are here to stay and will continue to evolve at incredible rates. Attackers are always finding new and creative ways to abuse legitimate services for malicious purposes.”

Pierluigi Paganini