Reflection and amplification attacks are used to extend DDoS harm. Recently, I discussed how the most recent unwelcome arrival of HTTP-based reflectors and amplifiers have had a more significant impact than past standard floods and I wondered, what would happen if attackers started using Facebook for link “loading” with fake accounts? The possibilities seemed endless and, according to “A Programmer’s Blog,” somebody has already worked on this and created a 400 MB flood using only Facebook Mobile.
This new Facebook attack is similar to how a Google Doc DDoS attack was launched a few years back when Google Docs were being used to create spreadsheets as a weapon for DDoS. Both of these attack types use a web link or a list of web links or URLs. They also can both put variables on the end of the file, so that if the customer uses a CDN, it can punch through the CDN to the origin server. These attacks can also use a real URL on demand in order to drive up the cost of the CDN.
Another factor to consider that could further this reflector/amplifier attack is that it appears that Yahoo is now loading links via their mail program. From the compose feature, one can now start pasting links into the e-mail and their fetcher/crawler will start loading up the pages for preview. During the testing of this concept, I noticed it was very easy to paste a link, hit return, paste another link, hit return — and Yahoo would go fetch and “preview” the link, resize the images, etc. This could easily be scripted with a browser plugin like Grease Monkey or link with the Facebook “notes” exploit in an effort to amplify damage.
How could a hacker put these attacks in a combination? First, create a Facebook Note with 1,000 URL’s. Then, load up a script to hit that note file via a WordPress Pingback. Next, put the same list in Google Docs to load every hour, and then start referencing the links via Yahoo Mail preview and keep the ping going. It wouldn’t be very difficult to daisy chain the attacks and launch combination attacks from various reflectors to keep hitting various online companies.
Attacks like this could easily be implemented from a public Wi-Fi enabled network (an airport, mall, coffee shop) offering anonymity as a great cover for the attacker. No one would black list all of these online services and many web sites and platforms have stated this is not a bug, so they will not be “fixing” this. With this in consideration, some of the solutions suggested to fix this flaw, really aren’t a fix. One recommendation was to block Facebook’s IP range from their loaders. However, this can be more destructive if you set an image source to be some search function in the victim site. It will cause the remote site to do SQL queries itself for searching, and if the content that should be searched for matches is large, the result is clear.
The difficulty in fighting these kinds of attacks is that often the wrong defense is chosen. DDoS services that require you to pass your data center traffic over to them to “clean” the traffic are expensive (and generally) should only be used for emergencies. Network reflection attacks often require this kind of emergency service. HTTP requests coming from Google or Facebook or WordPress tend to be classified as legitimate traffic, so it becomes very challenging to mitigate this and this makes having on premise protection a necessity.
Hybrid DDoS solutions combine to share attack signaling and stop threats. If you’re interested in learning more about an integrated detection and mitigation solution for DDoS attacks, I invite you to register and download a whitepaper on Radware’s new Attack Mitigation Network.