A brief discussion on the principles and defense of DDoS attacks using JavaScript_javascript skills

Distributed Denial of Service (DDoS) attack is one of the oldest and most common attacks against websites. Nick Sullivan is a systems engineer at CloudFlare, a provider of website acceleration and security services. Recently, he wrote an article introducing how attackers use malicious websites, server hijacking and man-in-the-middle attacks to launch DDoS attacks, and explained how to use HTTPS and the upcoming technology called "Subresource Integrity (Subresource Integrity)" SRI)' new web technology protects websites from attacks.

Most interactions on modern websites come from JavaScript. Websites implement interactive functionality by adding JavaScript code directly to HTML or loading JavaScript from a remote location through the HTML element 9be8c280d3dc51bb61988971f6c2aa5c. JavaScript can issue HTTP(S) requests to load web page content asynchronously, but it can also turn the browser into a weapon for attackers. For example, the following code can flood a compromised website with requests:

  function imgflood() { 
   var TARGET = 'victim-website.com'
   var URI = '/index.php?'
   var pic = new Image()
   var rand = Math.floor(Math.random() * 1000)
   pic.src = 'http://'+TARGET+URI+rand+'=val'
  }
  setInterval(imgflood, 10)

The above script will create 10 image tags on the page every second. The tag points to "victim-website.com" with a random query parameter. If the user visits a malicious website that contains this code, then he will unknowingly participate in a DDoS attack on "victim-website.com", as shown in the figure below:

Many websites use a common set of JavaScript libraries. To save bandwidth and improve performance, they use JavaScript libraries hosted by third parties. jQuery is the most popular JavaScript library on the web, used by approximately 30% of websites as of 2014 . Other popular libraries include Facebook SDK and Google Analytics. If a website contains a script tag that points to a JavaScript file hosted by a third party, all visitors to the website will download the file and execute it. If an attacker compromises such a server hosting a JavaScript file and adds DDoS code to the file, then all visitors will become part of the DDoS attack. This is server hijacking, as shown in the figure below:

This attack works because there is a missing mechanism in HTTP that would allow websites to disable tampered scripts from running. To solve this problem, W3C has proposed adding a new feature, subresource consistency. This feature allows a website to tell the browser to run a script only if the script it downloads matches the script the website wants to run. This is achieved through password hashing, the code is as follows:

  <script src="https://code.jquery.com/jquery-1.10.2.min.js" 
  integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg=" 
  crossorigin="anonymous">

A password hash uniquely identifies a block of data, and no two files will have the same password hash. The integrity attribute provides the password hash of the script file the website wishes to run. After the browser downloads the script, it calculates its hash and then compares the resulting value with the value provided by integrity. If it doesn't match, the target script has been tampered with and the browser won't use it. However, many browsers do not currently support this feature, and Chrome and Firefox are adding support for this feature.

Man-in-the-middle attack is the latest way for attackers to insert malicious JavaScript code into websites. When accessing a website through a browser, it passes through many nodes. If any intermediate node adds malicious code to the web page, it will form a man-in-the-middle attack, as shown in the figure below:

Encryption technology can completely block this code injection. With HTTPS, all communications between the browser and the web server are encrypted and authenticated, preventing third parties from modifying the web page during transmission. Therefore, setting the website to HTTPS-only, keeping the certificate and verifying the certificate can effectively prevent man-in-the-middle attacks.

When replying to netizen comments, Nick pointed out that SRI and HTTPS complement each other, and using both at the same time can provide better protection for the website. In addition to the above methods, using some anti-DDoS security products to strengthen protection is also an option.