The HTML5 PING Attack

HTML 5 has introduced many positive changes to web page structure and functionality. One of these has allowed web developers to send a small request (i.e. a ping) to a secondary location when a link is clicked.

The ping itself is just a simple, rather small, HTTP POST request, and is in itself a helpful feature, but DDoS attackers have found a way to abuse it.

By specifying the victim of the attack as the location to be pinged and using social engineering to trick users into clicking the link, they are able to generate a large amount of traffic towards the victim.

This is not the first time social engineering has been used to generate DDoS attack traffic. During various operations (especially during operation payback) in the past, Anonymous have directed other participants to simply goto a specific website and become part of the DDoS attack. When a participant voluntarily connected to the website, the participant contributed (via various Javascripts (JS) embedded on the page) their own computer's web browser to be used as an attacker node in some type of HTTP flood. In the past these HTTP floods looked very similar to HOIC style HTTP attacks.

Mitigating HTML5 PING Attacks

On the mitigation side, HTML 5 PING creates a specific looking POST request and we therefore imagine it should be fairly simple to block. More over, if you are protected against HTTP POST in general, you should be protected against this attack vector as well.

See our Knowledge Base for more information about HTTP Request Floods and our Whitepaper about the State of DDoS Mitigation.