Skip to content ↓ | Skip to navigation ↓

Web performance and information security company CloudFlare recently discovered an attack that it believes leveraged mobile ad networks to launch a large-scale distributed denial-of service (DDoS) attack.

Last week, the security company issued a post in which it explains that it detected a large number of HTTP requests being directed at one of its customers. These requests appeared to have been issued by a real browser, as the headers looked legitimate. Additionally, a POST within the request contained an Origin header issued by an Ajax (XHR) cross origin call, and the Referer pointed to a reachable URL.

The nature and amount of requests it observed led CloudFlare to conclude it was witnessing a browser-based L7 flood that effectively used malicious JavaScript as a distribution vector.

Further investigation revealed that the attack peaked at 250,000 HTTP requests per second. In total, some 4.5 billion requests were sent from 650,000 unique IP addresses; CloudFlare noted that 99.8% of this traffic originated from China.

cloudflare mobile ad networks ddos
A record of the DDoS attack campaign (Source: CloudFlare)

Researchers with the security company have since proposed their idea of what happened. They believe that a user on their smartphone was served an iframe with advertisement content that was requested from an ad network. The ad network forwarded the request to the third party that won the ad auction, an actor which CloudFlare believes was either the “attack page” itself or a middleman that forwarded the user to the “attack page”. The user was then served up a page with malicious Javascript that released the flood of XHR requests.

“Attacks like this form a new trend,” Cloudflare researchers stated. “They present a great danger in the internet — defending against this type of flood is not easy for small website operators. The good news is CloudFlare handles these attacks easily and automatically without the flood of HTTP requests ever hitting our customers’ infrastructure. While it’s still early days of our research, we hope publicizing the details will help to advance public knowledge and, hopefully, help others affected.”

News of this attack trend follows on the heels of Great Cannon, a distinct attack tool thought to be associated with China’s Great Firewall which targeted two pages on GitHub with malicious JavaScript earlier this year. More recently, Imgur patched a vulnerability that attackers exploited by uploading an HTML file with malicious JavaScript in order to target users of 4chan and 8chan.