One of my websites was the target of several DDoS attacks in the past, but I have never been the source of one. Not all video-centric websites can say the same according to PCWorld reporting on research from web security company Incapsula. Apparently, someone left a gaping hole in their code that was found and exploited. Oops!
Being the good websec firm Incapsula is, they did not name names. After all, if it were your site you would not want hundreds of hackers coming to see what other security holes there were in your code, would you? They simply said a top 50 website according to Alexa, which I’ll look into a bit later.
XSS = DDoS
XSS is cross-site scripting which basically means a script from one domain is allowed to run on another domain. So when there is no filtering on what a user is putting into things like URLs and web-based forms, it allows for code to be injected into a webpage and then executed. It’s a pretty big security hole and one that every good web guy will tell you should never have been open in the first place.
DDoS is a distributed denial of service attack which aims to cause faults or vulnerable moments for a web server which can then be infiltrated for malicious purposes or the server is flooded to the point of going offline.
Here’s some technical info on it:
Even more interestingly is an update on the situation.
It should be noted that yesterday the original DDoS tool on the attacker’s C&C domain was replaced with a much more robust version. This leads us to believe that what we saw yesterday was a sort of POC test run. The current code is not only much more sophisticated, but it is also built for keeping track of the attack, for what seems like billing purposes. From the looks of it, someone is now using this Alexa Top 50 website to set up a chain of botnets for hire.
Now, if you haven’t had a web security professional take a look at your website there are some tools readily available to help check the integrity of your site. If you are a more tech savvy type, OWASP has a great information resource about cross-site scripting vulnerabilities, how to check and how to fix.
So which site is it?!
Now the part you’ve all been waiting for, which site was it? Let me get my Deerstalker on, that’s the hat Sherlock Holmes wears FYI.
First off, Incapsula’s blog post title is ”
One of World’s Largest Websites Hacked: Turns Visitors into “DDoS Zombies”” but the short link is http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html interesting.
Next up is the actual blog post which states:
What makes this case especially interesting is the fact that the attack was enabled by a vulnerability in one of the world’s largest and most popular sites – one of the domains on Alexa’s “Top 50” list.
We also know that the site allows users to sign up with profiles and include pictures in the profiles. Here’s how we figure it was a video-centric website.
Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous.
Thousands of views per minute, 10-30 minute video content, interesting as well. Finally, this smoking gun of a comment.
Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.
Comments! Cat videos!
Wait, before I give you my summation, I need some actual proof. So let’s look at the Alexa Top 500 websites for some video websites.
I examined the Top 50 sites and came up with these video heavy sites.
Well we can rule out xvideos, I hope they don’t have cat videos. We can also rule out IMDB and CNN as I don’t think either has a cat video category. We can knock out apple and microsoft as well. That narrows it down to the top four in the list.
Facebook doesn’t really host the videos that are seen on the site, so let’s pull them from the list. Yahoo is going more news and less user-generated content presently so pull them from the list.
The only two sites left are Google and YouTube, essentially, the same company and site and therefore, probably the culprit.
So wait a second, the company that is the self-appointed web-spam police had a massive coding vulnerability that is allowing their site to be the source of a massive DDoS attack, perhaps even the same attack that took down Blizzard Games, and now its users are being hired out as a botnet?!