A brief discussion on the principles and defense of DDoS attacks using JavaScript

Home

Web Front-end

JS Tutorial

A brief discussion on the principles and defense of DDoS attacks using JavaScript_javascript skills

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

May 16, 2016 pm 03:56 PM

ddosjavascript

Distributed Denial of Service (DDoS) attack is one of the oldest and most common attacks against websites. Nick Sullivan is a systems engineer at CloudFlare, a provider of website acceleration and security services. Recently, he wrote an article introducing how attackers use malicious websites, server hijacking and man-in-the-middle attacks to launch DDoS attacks, and explained how to use HTTPS and the upcoming technology called "Subresource Integrity (Subresource Integrity)" SRI)' new web technology protects websites from attacks.

Most interactions on modern websites come from JavaScript. Websites implement interactive functionality by adding JavaScript code directly to HTML or loading JavaScript from a remote location through the HTML element

  function imgflood() { 
   var TARGET = 'victim-website.com'
   var URI = '/index.php&#63;'
   var pic = new Image()
   var rand = Math.floor(Math.random() * 1000)
   pic.src = 'http://'+TARGET+URI+rand+'=val'
  }
  setInterval(imgflood, 10)

The above script will create 10 image tags on the page every second. The tag points to "victim-website.com" with a random query parameter. If the user visits a malicious website that contains this code, then he will unknowingly participate in a DDoS attack on "victim-website.com", as shown in the figure below:

20156493325376.png (900×420)

Many websites use a common set of JavaScript libraries. To save bandwidth and improve performance, they use JavaScript libraries hosted by third parties. jQuery is the most popular JavaScript library on the web, used by approximately 30% of websites as of 2014 . Other popular libraries include Facebook SDK and Google Analytics. If a website contains a script tag that points to a JavaScript file hosted by a third party, all visitors to the website will download the file and execute it. If an attacker compromises such a server hosting a JavaScript file and adds DDoS code to the file, then all visitors will become part of the DDoS attack. This is server hijacking, as shown in the figure below:

20156493409662.png (900×586)

This attack works because there is a missing mechanism in HTTP that would allow websites to disable tampered scripts from running. To solve this problem, W3C has proposed adding a new feature, subresource consistency. This feature allows a website to tell the browser to run a script only if the script it downloads matches the script the website wants to run. This is achieved through password hashing, the code is as follows:

  <script src="https://code.jquery.com/jquery-1.10.2.min.js" 
  integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=" 
  crossorigin="anonymous">

A password hash uniquely identifies a block of data, and no two files will have the same password hash. The integrity attribute provides the password hash of the script file the website wishes to run. After the browser downloads the script, it calculates its hash and then compares the resulting value with the value provided by integrity. If it doesn't match, the target script has been tampered with and the browser won't use it. However, many browsers do not currently support this feature, and Chrome and Firefox are adding support for this feature.

Man-in-the-middle attack is the latest way for attackers to insert malicious JavaScript code into websites. When accessing a website through a browser, it passes through many nodes. If any intermediate node adds malicious code to the web page, it will form a man-in-the-middle attack, as shown in the figure below:

20156493514762.png (900×771)

Encryption technology can completely block this code injection. With HTTPS, all communications between the browser and the web server are encrypted and authenticated, preventing third parties from modifying the web page during transmission. Therefore, setting the website to HTTPS-only, keeping the certificate and verifying the certificate can effectively prevent man-in-the-middle attacks.

When replying to netizen comments, Nick pointed out that SRI and HTTPS complement each other, and using both at the same time can provide better protection for the website. In addition to the above methods, using some anti-DDoS security products to strengthen protection is also an option.

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Is JavaScript Written in C? Examining the EvidenceApr 25, 2025 am 12:15 AM

Yes, the engine core of JavaScript is written in C. 1) The C language provides efficient performance and underlying control, which is suitable for the development of JavaScript engine. 2) Taking the V8 engine as an example, its core is written in C, combining the efficiency and object-oriented characteristics of C. 3) The working principle of the JavaScript engine includes parsing, compiling and execution, and the C language plays a key role in these processes.

JavaScript's Role: Making the Web Interactive and DynamicApr 24, 2025 am 12:12 AM

JavaScript is at the heart of modern websites because it enhances the interactivity and dynamicity of web pages. 1) It allows to change content without refreshing the page, 2) manipulate web pages through DOMAPI, 3) support complex interactive effects such as animation and drag-and-drop, 4) optimize performance and best practices to improve user experience.

C and JavaScript: The Connection ExplainedApr 23, 2025 am 12:07 AM

C and JavaScript achieve interoperability through WebAssembly. 1) C code is compiled into WebAssembly module and introduced into JavaScript environment to enhance computing power. 2) In game development, C handles physics engines and graphics rendering, and JavaScript is responsible for game logic and user interface.

From Websites to Apps: The Diverse Applications of JavaScriptApr 22, 2025 am 12:02 AM

JavaScript is widely used in websites, mobile applications, desktop applications and server-side programming. 1) In website development, JavaScript operates DOM together with HTML and CSS to achieve dynamic effects and supports frameworks such as jQuery and React. 2) Through ReactNative and Ionic, JavaScript is used to develop cross-platform mobile applications. 3) The Electron framework enables JavaScript to build desktop applications. 4) Node.js allows JavaScript to run on the server side and supports high concurrent requests.

Python vs. JavaScript: Use Cases and Applications ComparedApr 21, 2025 am 12:01 AM

Python is more suitable for data science and automation, while JavaScript is more suitable for front-end and full-stack development. 1. Python performs well in data science and machine learning, using libraries such as NumPy and Pandas for data processing and modeling. 2. Python is concise and efficient in automation and scripting. 3. JavaScript is indispensable in front-end development and is used to build dynamic web pages and single-page applications. 4. JavaScript plays a role in back-end development through Node.js and supports full-stack development.

The Role of C/C in JavaScript Interpreters and CompilersApr 20, 2025 am 12:01 AM

C and C play a vital role in the JavaScript engine, mainly used to implement interpreters and JIT compilers. 1) C is used to parse JavaScript source code and generate an abstract syntax tree. 2) C is responsible for generating and executing bytecode. 3) C implements the JIT compiler, optimizes and compiles hot-spot code at runtime, and significantly improves the execution efficiency of JavaScript.

JavaScript in Action: Real-World Examples and ProjectsApr 19, 2025 am 12:13 AM

JavaScript's application in the real world includes front-end and back-end development. 1) Display front-end applications by building a TODO list application, involving DOM operations and event processing. 2) Build RESTfulAPI through Node.js and Express to demonstrate back-end applications.

JavaScript and the Web: Core Functionality and Use CasesApr 18, 2025 am 12:19 AM

The main uses of JavaScript in web development include client interaction, form verification and asynchronous communication. 1) Dynamic content update and user interaction through DOM operations; 2) Client verification is carried out before the user submits data to improve the user experience; 3) Refreshless communication with the server is achieved through AJAX technology.

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Assassin's Creed Shadows: Seashell Riddle Solution

4 weeks agoByDDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks agoByDDD

Where to find the Crane Control Keycard in Atomfall

4 weeks agoByDDD

Roblox: Dead Rails - How To Complete Every Challenge

1 months agoByDDD

Atomfall guide: item locations, quest guides, and tips

1 months agoByDDD

Hot Tools

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.