A large number of HTTP requests were noticed by CloudFare overwhelming one of its clients. The requests were made from over 650,000 unique IP addresses tracing from China, initiating a distributed denial-of-service (DDoS) attack.
Chinese smartphones launch a massive DDoS web attack:
More than 650,000 Chinese smartphones have been unwillingly used in a massive attack that launched over 4.5 billion separate data requests in a single day using a browser-based HTTP flood. A mobile ad network seemed to have been used to initiate the attack. Appearing in popular apps in China, adverts seeded with malicious code were leveraged to establish such a massive attack against a target website.
The attack peaked at over 1 billion requests per hour with 80% of the requests made from mobile devices, mainly from mobile apps and browsers popular in the country. In a blog post, CloudFare's Marek Majkowski shares that the company isn't certain how such a large amount of mobile devices were lured into visiting the attacked page. However, as mentioned above, leveraging an ad network seems to be the only plausible explanation behind such a vast number of Chinese phone users visiting the same page at the same time. Majkowski explains that "it seems probable that users were served advertisements containing the malicious JavaScript."
He has also shared the steps following which a user could have been tricked into being a part of this DDoS attack:
- A user was casually browsing the Internet or opened an app on the smartphone.
- The user was served an iframe with an advertisement.
- The advertisement content was requested from an ad network.
- The ad network forwarded the request to the third-party that won the ad auction.
- Either the third-party website was the "attack page", or it forwarded the user to an "attack page".
- The user was served an attack page containing a malicious JavaScript, which launched a flood of requests against CloudFlare servers.
He further speculates that the creators of this attack might have joined the networks that pipe adverts to people. And as these ad networks run live auctions, cyber criminals, by bidding the highest, could have their malicious ads places in front of many people.
This is one of the first examples of mobile DDoS attacks as typically criminals have used web browsers to launch these attacks. As mobile users often rely on apps to connect to different services instead of using browsers, mobile hasn't been a favorite for these malvertising campaigns. However, it definitely changes now as Majkowski says, "Attacks like this form a new trend. They present a great danger in the internet — defending against this type of flood is not easy for small website operators."
