Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Black Hat: How to create a massive DDoS botnet using cheap online ads

Tim Greene | Aug. 2, 2013
The bad news is if you click on the wrong online ad, your browser can be immediately enlisted in a botnet carrying out a denial of service attack to take down Web sites.

The bad news is if you click on the wrong online ad, your browser can be immediately enlisted in a botnet carrying out a denial of service attack to take down Web sites.

The good news is that as soon as you move on to another Web site, the browser is released with no harm done, according to researchers who revealed the hack at the Black Hat security conference.

"Who's problem is this?" says Jeremiah Grossman, CEO of White Hat Labs and one of the researchers. "Browsers? Ad networks? Who fixes this?"

The bot-herding scheme relies on the fact that when a browser connects to a Web site, the site has near-complete control of the browser for as long as it's on that page. It can run code from HTML to JavaScript in the browser that can set off a whole string of possible attacks, he says.

In the case of creating an on-the-fly botnet, Grossman and his associate Matt Johansen placed JavaScript within ads that they placed on Web pages via an advertising network. They paid to have the ad garner a certain number of clicks. The cost of a million-browser botnet is about $150, he says.

The JavaScript made the hijacked browser make repeated requests to a target Web server in an effort to overwhelm it. For the test it was the researchers' own Apache server hosted in the Amazon cloud.

Each browser could generate six HTML requests at a time due to a connection limit set in the browser in order to maintain performance and stability. If the JavaScript instructed that the browsers make FTP requests instead, the number jumps to 100 requests or more, Grossman says.

"To scale [the botnet] up you need to get a lot of browsers running it," he says.

Adding arbitrary JavaScript to ads is easy to do and in the experience of the researchers wasn't checked very closely by the ad network. To make it more convenient to change the malicious script, rather than placing the script itself in the ad, they put in the script source. That way they could alter the script on their own servers and have the changes picked up by the ad without having to deal with the ad network again, Johansen says.

The researchers paid the ad network to distribute their ad and within 18 hours it was generating 8.1 million requests to the server coming in fast enough to take it down. That was using HTTP requests six at a time without using the FTP bypass, Grossman says. Since the users whose browsers were enlisted to the botnet were unwitting, they didn't want to make any changes to the browsers, he says.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.