


A brief discussion on the principles and defense of DDoS attacks using JavaScript_javascript skills
Distributed Denial of Service (DDoS) attack is one of the oldest and most common attacks against websites. Nick Sullivan is a systems engineer at CloudFlare, a provider of website acceleration and security services. Recently, he wrote an article introducing how attackers use malicious websites, server hijacking and man-in-the-middle attacks to launch DDoS attacks, and explained how to use HTTPS and the upcoming technology called "Subresource Integrity (Subresource Integrity)" SRI)' new web technology protects websites from attacks.
Most interactions on modern websites come from JavaScript. Websites implement interactive functionality by adding JavaScript code directly to HTML or loading JavaScript from a remote location through the HTML element
function imgflood() { var TARGET = 'victim-website.com' var URI = '/index.php?' var pic = new Image() var rand = Math.floor(Math.random() * 1000) pic.src = 'http://'+TARGET+URI+rand+'=val' } setInterval(imgflood, 10)
The above script will create 10 image tags on the page every second. The tag points to "victim-website.com" with a random query parameter. If the user visits a malicious website that contains this code, then he will unknowingly participate in a DDoS attack on "victim-website.com", as shown in the figure below:
Many websites use a common set of JavaScript libraries. To save bandwidth and improve performance, they use JavaScript libraries hosted by third parties. jQuery is the most popular JavaScript library on the web, used by approximately 30% of websites as of 2014 . Other popular libraries include Facebook SDK and Google Analytics. If a website contains a script tag that points to a JavaScript file hosted by a third party, all visitors to the website will download the file and execute it. If an attacker compromises such a server hosting a JavaScript file and adds DDoS code to the file, then all visitors will become part of the DDoS attack. This is server hijacking, as shown in the figure below:
This attack works because there is a missing mechanism in HTTP that would allow websites to disable tampered scripts from running. To solve this problem, W3C has proposed adding a new feature, subresource consistency. This feature allows a website to tell the browser to run a script only if the script it downloads matches the script the website wants to run. This is achieved through password hashing, the code is as follows:
<script src="https://code.jquery.com/jquery-1.10.2.min.js" integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=" crossorigin="anonymous">
A password hash uniquely identifies a block of data, and no two files will have the same password hash. The integrity attribute provides the password hash of the script file the website wishes to run. After the browser downloads the script, it calculates its hash and then compares the resulting value with the value provided by integrity. If it doesn't match, the target script has been tampered with and the browser won't use it. However, many browsers do not currently support this feature, and Chrome and Firefox are adding support for this feature.
Man-in-the-middle attack is the latest way for attackers to insert malicious JavaScript code into websites. When accessing a website through a browser, it passes through many nodes. If any intermediate node adds malicious code to the web page, it will form a man-in-the-middle attack, as shown in the figure below:
Encryption technology can completely block this code injection. With HTTPS, all communications between the browser and the web server are encrypted and authenticated, preventing third parties from modifying the web page during transmission. Therefore, setting the website to HTTPS-only, keeping the certificate and verifying the certificate can effectively prevent man-in-the-middle attacks.
When replying to netizen comments, Nick pointed out that SRI and HTTPS complement each other, and using both at the same time can provide better protection for the website. In addition to the above methods, using some anti-DDoS security products to strengthen protection is also an option.

Yes, the engine core of JavaScript is written in C. 1) The C language provides efficient performance and underlying control, which is suitable for the development of JavaScript engine. 2) Taking the V8 engine as an example, its core is written in C, combining the efficiency and object-oriented characteristics of C. 3) The working principle of the JavaScript engine includes parsing, compiling and execution, and the C language plays a key role in these processes.

JavaScript is at the heart of modern websites because it enhances the interactivity and dynamicity of web pages. 1) It allows to change content without refreshing the page, 2) manipulate web pages through DOMAPI, 3) support complex interactive effects such as animation and drag-and-drop, 4) optimize performance and best practices to improve user experience.

C and JavaScript achieve interoperability through WebAssembly. 1) C code is compiled into WebAssembly module and introduced into JavaScript environment to enhance computing power. 2) In game development, C handles physics engines and graphics rendering, and JavaScript is responsible for game logic and user interface.

JavaScript is widely used in websites, mobile applications, desktop applications and server-side programming. 1) In website development, JavaScript operates DOM together with HTML and CSS to achieve dynamic effects and supports frameworks such as jQuery and React. 2) Through ReactNative and Ionic, JavaScript is used to develop cross-platform mobile applications. 3) The Electron framework enables JavaScript to build desktop applications. 4) Node.js allows JavaScript to run on the server side and supports high concurrent requests.

Python is more suitable for data science and automation, while JavaScript is more suitable for front-end and full-stack development. 1. Python performs well in data science and machine learning, using libraries such as NumPy and Pandas for data processing and modeling. 2. Python is concise and efficient in automation and scripting. 3. JavaScript is indispensable in front-end development and is used to build dynamic web pages and single-page applications. 4. JavaScript plays a role in back-end development through Node.js and supports full-stack development.

C and C play a vital role in the JavaScript engine, mainly used to implement interpreters and JIT compilers. 1) C is used to parse JavaScript source code and generate an abstract syntax tree. 2) C is responsible for generating and executing bytecode. 3) C implements the JIT compiler, optimizes and compiles hot-spot code at runtime, and significantly improves the execution efficiency of JavaScript.

JavaScript's application in the real world includes front-end and back-end development. 1) Display front-end applications by building a TODO list application, involving DOM operations and event processing. 2) Build RESTfulAPI through Node.js and Express to demonstrate back-end applications.

The main uses of JavaScript in web development include client interaction, form verification and asynchronous communication. 1) Dynamic content update and user interaction through DOM operations; 2) Client verification is carried out before the user submits data to improve the user experience; 3) Refreshless communication with the server is achieved through AJAX technology.


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool

SublimeText3 Chinese version
Chinese version, very easy to use

MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

Atom editor mac version download
The most popular open source editor
