A brief discussion on the principles and defense of DDoS attacks using JavaScript

Home

Web Front-end

JS Tutorial

A brief discussion on the principles and defense of DDoS attacks using JavaScript_javascript skills

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

May 16, 2016 pm 03:56 PM

ddosjavascript

Distributed Denial of Service (DDoS) attack is one of the oldest and most common attacks against websites. Nick Sullivan is a systems engineer at CloudFlare, a provider of website acceleration and security services. Recently, he wrote an article introducing how attackers use malicious websites, server hijacking and man-in-the-middle attacks to launch DDoS attacks, and explained how to use HTTPS and the upcoming technology called "Subresource Integrity (Subresource Integrity)" SRI)' new web technology protects websites from attacks.

Most interactions on modern websites come from JavaScript. Websites implement interactive functionality by adding JavaScript code directly to HTML or loading JavaScript from a remote location through the HTML element

  function imgflood() { 
   var TARGET = 'victim-website.com'
   var URI = '/index.php&#63;'
   var pic = new Image()
   var rand = Math.floor(Math.random() * 1000)
   pic.src = 'http://'+TARGET+URI+rand+'=val'
  }
  setInterval(imgflood, 10)

The above script will create 10 image tags on the page every second. The tag points to "victim-website.com" with a random query parameter. If the user visits a malicious website that contains this code, then he will unknowingly participate in a DDoS attack on "victim-website.com", as shown in the figure below:

20156493325376.png (900×420)

Many websites use a common set of JavaScript libraries. To save bandwidth and improve performance, they use JavaScript libraries hosted by third parties. jQuery is the most popular JavaScript library on the web, used by approximately 30% of websites as of 2014 . Other popular libraries include Facebook SDK and Google Analytics. If a website contains a script tag that points to a JavaScript file hosted by a third party, all visitors to the website will download the file and execute it. If an attacker compromises such a server hosting a JavaScript file and adds DDoS code to the file, then all visitors will become part of the DDoS attack. This is server hijacking, as shown in the figure below:

20156493409662.png (900×586)

This attack works because there is a missing mechanism in HTTP that would allow websites to disable tampered scripts from running. To solve this problem, W3C has proposed adding a new feature, subresource consistency. This feature allows a website to tell the browser to run a script only if the script it downloads matches the script the website wants to run. This is achieved through password hashing, the code is as follows:

  <script src="https://code.jquery.com/jquery-1.10.2.min.js" 
  integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=" 
  crossorigin="anonymous">

A password hash uniquely identifies a block of data, and no two files will have the same password hash. The integrity attribute provides the password hash of the script file the website wishes to run. After the browser downloads the script, it calculates its hash and then compares the resulting value with the value provided by integrity. If it doesn't match, the target script has been tampered with and the browser won't use it. However, many browsers do not currently support this feature, and Chrome and Firefox are adding support for this feature.

Man-in-the-middle attack is the latest way for attackers to insert malicious JavaScript code into websites. When accessing a website through a browser, it passes through many nodes. If any intermediate node adds malicious code to the web page, it will form a man-in-the-middle attack, as shown in the figure below:

20156493514762.png (900×771)

Encryption technology can completely block this code injection. With HTTPS, all communications between the browser and the web server are encrypted and authenticated, preventing third parties from modifying the web page during transmission. Therefore, setting the website to HTTPS-only, keeping the certificate and verifying the certificate can effectively prevent man-in-the-middle attacks.

When replying to netizen comments, Nick pointed out that SRI and HTTPS complement each other, and using both at the same time can provide better protection for the website. In addition to the above methods, using some anti-DDoS security products to strengthen protection is also an option.

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

es6数组怎么去掉重复并且重新排序May 05, 2022 pm 07:08 PM

去掉重复并排序的方法：1、使用“Array.from(new Set(arr))”或者“[…new Set(arr)]”语句，去掉数组中的重复元素，返回去重后的新数组；2、利用sort()对去重数组进行排序，语法“去重数组.sort()”。

JavaScript的Symbol类型、隐藏属性及全局注册表详解Jun 02, 2022 am 11:50 AM

本篇文章给大家带来了关于JavaScript的相关知识，其中主要介绍了关于Symbol类型、隐藏属性及全局注册表的相关问题，包括了Symbol类型的描述、Symbol不会隐式转字符串等问题，下面一起来看一下，希望对大家有帮助。

原来利用纯CSS也能实现文字轮播与图片轮播！Jun 10, 2022 pm 01:00 PM

怎么制作文字轮播与图片轮播？大家第一想到的是不是利用js，其实利用纯CSS也能实现文字轮播与图片轮播，下面来看看实现方法，希望对大家有所帮助！

JavaScript对象的构造函数和new操作符（实例详解）May 10, 2022 pm 06:16 PM

本篇文章给大家带来了关于JavaScript的相关知识，其中主要介绍了关于对象的构造函数和new操作符，构造函数是所有对象的成员方法中，最早被调用的那个，下面一起来看一下吧，希望对大家有帮助。

JavaScript面向对象详细解析之属性描述符May 27, 2022 pm 05:29 PM

本篇文章给大家带来了关于JavaScript的相关知识，其中主要介绍了关于面向对象的相关问题，包括了属性描述符、数据描述符、存取描述符等等内容，下面一起来看一下，希望对大家有帮助。

javascript怎么移除元素点击事件Apr 11, 2022 pm 04:51 PM

方法：1、利用“点击元素对象.unbind("click");”方法，该方法可以移除被选元素的事件处理程序；2、利用“点击元素对象.off("click");”方法，该方法可以移除通过on()方法添加的事件处理程序。

整理总结JavaScript常见的BOM操作Jun 01, 2022 am 11:43 AM

本篇文章给大家带来了关于JavaScript的相关知识，其中主要介绍了关于BOM操作的相关问题，包括了window对象的常见事件、JavaScript执行机制等等相关内容，下面一起来看一下，希望对大家有帮助。

foreach是es6里的吗May 05, 2022 pm 05:59 PM

foreach不是es6的方法。foreach是es3中一个遍历数组的方法，可以调用数组的每个元素，并将元素传给回调函数进行处理，语法“array.forEach(function(当前元素,索引,数组){...})”；该方法不处理空数组。

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hello Kitty Island Adventure: How To Get Giant Seeds

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

4 weeks agoByDDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

4 weeks agoByDDD

Two Point Museum: All Exhibits And Where To Find Them

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Zend Studio 13.0.1

Powerful PHP integrated development environment

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),