XSS bug in popular Chinese site exploited to launch DDoS attack
DDoS mitigation firm Incapsula has put a stop to the speculations that the video content provider whose vulnerable website was misused to launch a DDoS attack was YouTube, and has revealed that it was actually Sohu.com, currently the 27th most visited website in the world.
Earlier this month, Ronen Arias, security analyst at Incapsula, has written a blog post about the attack in question, which the company was hired to mitigate. The (still unnamed) third-party target of the attack was being hit with “over 20 million GET requests originating from the browsers of over 22,000 Internet users.”
The investigation revealed an unlikely source. A XSS vulnerability in one among the most popular websites in the world allowed the attacker to inject JavaScript code into the tag associated with the profile image of its users.
The attacker went on to comment on many, many videos, and each time the malicious code would accompany the comment. Once the code was on a page, each time another visitor landed on it the code was executed and would trigger another code injection and an Ajax-scripted DDoS tool that would take command of the browser and instruct it to send repeated (one per second) requests to the target sites.
“Obviously one request per second is not a lot. However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous,” Arias explained.
“Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”
He also shared some details on how the company was able to block the attack and discover its source.
The site in question has been notified of the vulnerability, and has eventually patched it, allowing Incapsula to finally squash the rumours swirling around on the internet about its identity.