Method of creating a botnet to carry out a DDoS attack

Creating a botnet to carry out Distributed Denial of Service attacks (DDoS), is simpler than many people realise. Recently, Incapsula reported an attack they uncovered that involved a profile image associated with comments on a webpage in order to get the user’s browser to carry out a DDoS attack on a target site.

The attacker first injected JavaScript code into the image tag associated with his profile image. He then made comments on the site – the infected image being used as an avatar. When other users navigated to the site, their browser automatically triggers the JavaScript code. When executed, the code creates a hidden iframe on the page, linking to the attackers Command and Control server (C&C), to establish target sites for the DDoS attack. The iframe then sends a GET requests to the target server to conduct the DDoS attack.

A DDoS attack requires a large number of GET requests sent over a short period. This attack reported by Incapsula, sent one GET request to the target site every second. The infected images were placed on a video download site – if unsuspecting users viewed a video for say 30 minutes – every second during that period a GET message was sent to the target site. By placing his infected image on a number of pages hosting different popular videos, the attacker caused 22,000 users to issue a total of 20 million GET requests.

Jeremiah Grossman and Matt Johansen from WhiteHat Security have shown that by bypassing the connection limits of the browser, it is possible for an attacker to scale up and increase the number of simultaneous connections and send out a higher rate of GET requests. They believe that it is possible to send up to 10,000 GET requests per minute from each browser that has been compromised.

These researchers have also shown that this attack can be easily launched through online advertisements. They calculate that it would cost around $500 advertising spend to infect and create a botnet of 1 million browsers. With each browser sending 10,000 GET requests per minute, it would be a most formidable DDoS attack.

When the browser navigates away from the page containing the infected JavaScript, the iframe and the code is automatically removed from the browser with no trace. No malware is left on the PC from this attack – it is a leave-no-trace attack.

In addition to using the botnet to launch a DDoS attack, it is also possible to use it for other purposes such as password hash cracking.

There is no browser-side patch for this attack. Browsers are designed to execute code in this manner. The use of an ad blocker will prevent your browser unwittingly joining a botnet through advertisements.

The ease with which a botnet such as described can be created, would indicate that we can expect this method to be used more often in the future in DDoS attacks.

Leave a Reply

%d bloggers like this: