Researchers have found that the HTML feature called hyperlink auditing, or pings, is being used to perform DDoS attacks against various sites. This feature is normally used by sites to track link clicks, but is now found to be abused by attackers to send a massive amount of web requests to sites in order to take them offline.

For those who are unfamiliar with hyperlink auditing, it is an HTML feature that allows sites to track clicks on links. To create a hyperlink auditing URL, or ping, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable as shown below.

Ping HTML Link

In the above example, when the user clicks on the link, their browser will first connect to https://www.bleepingcomputer.com/pong.php with a POST request and then direct the browser to Google. This causes your browser to connect to two different sites when you click on a single link.

The web page that receives the ping, can them examine the POST request headers to see what page the click original on (Ping-From header) and what page the link was going to (Ping-To header).

While not as common as JS and redirect tracking, this feature is used in the Google search results in order for Google to track clicks on their links.

Pings abused to perform DDoS attacks

In new research by Imperva, researchers have found that HTML pings are being utilized by attackers to perform distributed denial of services attacks on various sites.

This attack was conducted mainly by users from China and almost all of the attackers were mobile users utilizing QQBrowser. Over the course of this attack, Imperva detected 4,000 IP addresses involved in sending approximately 70 million requests in four hours.

A peak 7,500 Requests per Second (RPS)

Strangely, all of the PING requests that Imperva observed showed that both the Ping-To and the Ping-Fromt header values were from http://booc.gz.bcebos[.]com/yo.js?version=cc000001. This is a strange as usually the link URL is different from the URL where the link was clicked.

Below you can see a sample POST ping request from this attack.

Example Ping Post Request

When examining the you.html page from the Ping-To and Ping-From headers, Imperva was able to understand what was happening. The you.html page, shown below, loads two JS files that would perform the HTML ping DDoS attacks.

Script on you.html page

The ou.js file, shown below, contained an array of sites that were targeted for the DDoS attack. Imperva has told BleepingComputer that most of the sites being targeted were for gaming companies.

Array of DDoS targets (OU.jsg)

The yo.js script, shown below, would randomly select one of the above sites and create a HTML ping URL with that site as the ping target. It would then programmatically click on the link as shown by the link.click() command.

Function that generates a link and clicks it (yo.js)

The JavaScript would then create a new HTML ping URL and click every second. So the longer a user was on this page, the more clicks they would generate.

Imperva's theory is that the attackers used social engineering and malvertising to direct users to pages hosting these scripts.

We noticed that the User-Agent in the requests is associated with the popular Chinese chat app, WeChat. WeChat uses a default mobile browser to open links in messages. As QQBrowser is very popular in China, many users pick it as a default browser for their smartphone. Our theory is that social engineering combined with malvertising (malicious advertising) that tricked unsuspecting WeChat users into opening the browser. Here’s one possible scenario: The attacker injects malicious advertising that loads a suspected website Link to the legitimate website with the malicious ad in an iframe is posted to a large WeChat group chat Legitimate users visit the website with the malicious ad JavaScript code executes, creating a link with the “ping” attribute that the user clicks on An HTTP ping request is generated and sent to the target domain from the legitimate user’s browser

The good news is that it is currently easy to prevent most browsers from being utilized in hyperlink auditing ping attacks as described above. This is by disabling hyperlink auditing in your browser.

The bad part is that almost all browsers, except for Firefox and Brave, will soon have this feature enabled by default without any way of disabling it.

Browsers will soon prevent you from disabling HTML pings

Browsers such as Chrome, Edge, Safari, and Opera enable hyperlink auditing by default and most allow you to disable it. As we reported last weekend, future versions of these browsers will no longer allow users to disable hyperlink auditing at all.

The inability to disable hyperlink auditing is not only a privacy risk and a cause for concern by many, but this new research shows that it is far worse than originally understood.

Now that we know this feature is being utilized in distributed attacks, it is more important than ever for users to have the ability to disable this feature.

Currently, the only browsers that disable hyperlink auditing by default and continue to provide ways to disable it are Firefox and Brave.