A brief introduction to JavaScript DDoS attack principles and defenses (pictures and text)

Distributed denial of service attack (DDoS) attack is one of the oldest and most common attacks launched against websites. Nick Sullivan is a systems engineer at CloudFlare, a provider of website acceleration and security services. Recently, he wrote an article introducing how attackers use malicious websites, server hijacking and man-in-the-middle attacks to launch DDoS attacks, and explained how to use HTTPS and the upcoming new Web technology called "Subresource Integrity (SRI)" Technology protects websites from attacks.

Most of the interaction on modern websites comes from JavaScript. Websites implement interactive functionality by adding JavaScript code directly to HTML or by loading JavaScript from a remote location through HTML elements9be8c280d3dc51bb61988971f6c2aa5c. JavaScript can issue HTTP(S) requests to load web page content asynchronously, but it can also turn the browser into a weapon for attackers. For example, the following code can flood a compromised website with requests:

function imgflood() {  
  var TARGET = 'victim-website.com'
  var URI = '/index.php?'
  var pic = new Image()
  var rand = Math.floor(Math.random() * 1000)
  pic.src = 'http://'+TARGET+URI+rand+'=val'
}
setInterval(imgflood, 10)

The above script will create 10 image tags on the page every second. The tag points to "victim-website.com" with a random query parameter. If the user visits a malicious website that contains this code, then he will unknowingly participate in a DDoS attack on "victim-website.com", as shown in the following figure:

Many websites use a common set of JavaScript libraries. In order to save bandwidth and improve performance, they use JavaScript libraries hosted by third parties. jQuery is the most popular JavaScript library on the web, used by approximately 30% of websites as of 2014. Other popular libraries include Facebook SDK and Google Analytics. If a website contains a script tag that points to a JavaScript file hosted by a third party, all visitors to the website will download the file and execute it. If an attacker compromises such a server hosting a JavaScript file and adds DDoS code to the file, then all visitors will become part of the DDoS attack. This is server hijacking, as shown in the following figure:

This attack works because there is a missing mechanism in HTTP that would allow a website to prevent a tampered script from running. In order to solve this problem, W3C has proposed to add a new feature subresource consistency. This feature allows a website to tell the browser to run a script only if the script it downloads matches the script the website wants to run. This is achieved through password hashing, the code is as follows:

<script src="https://code.jquery.com/jquery-1.10.2.min.js" 
integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=" 
crossorigin="anonymous">

A password hash can uniquely identify a block of data, and no two files will have the same password hash. Propertiesintegrity provides the password hash of the script file the website wishes to run. After the browser downloads the script, it calculates its hash and then compares the resulting value with the value provided by integrity. If it doesn't match, the target script has been tampered with and the browser won't use it. However, many browsers do not currently support this feature, and Chrome and Firefox are adding support for this feature.

Man-in-the-middle attacks are the latest way for attackers to insert malicious JavaScript code into websites. When accessing a website through a browser, it passes through many nodes. If any intermediate node adds malicious code to the web page, a man-in-the-middle attack will occur, as shown in the figure below:

Encryption technology can completely block this code injection. With HTTPS, all communications between the browser and the web server are encrypted and authenticated, preventing third parties from modifying the web page during transmission. Therefore, setting the website to HTTPS-only, keeping the certificate and verifying the certificate can effectively prevent man-in-the-middle attacks.

In reply to netizen comments, Nick pointed out that SRI and HTTPS are complementary to each other, and using both at the same time can provide better protection for the website. In addition to the above methods, using some anti-DDoS security products to strengthen protection is also an option.

The above is the detailed content of A brief introduction to JavaScript DDoS attack principles and defenses (pictures and text). For more information, please follow other related articles on the PHP Chinese website!