Even the biggest websites in the world are vulnerable to DDoS. Want proof?
Well, all throughout this past April, a hacker took advantage of a hole in Sohu.com’s security to launch Persistent Cross-Site Swapping (XSS) attacks against various targets across the globe.
Sohu.com, in case you don’t know, is one of the largest websites in the world – in fact 24th largest, according to Alexa Top 100 Ranking.
But, for all its size and multi-billion dollar net worth, Sohu could be exploited by hackers who managed to convert its popularity into a massive Persistent XSS enabled DDoS attack.
Devastating New DDoS Attack Method
At its basis, Persistent XSS is a crafty type of malicious code injection. This injection method involves convincing a server to save data from an outside source (the hacker) and then refresh the data every time a new browser accesses the page.
In this attack, the hacker saved to Sohu’s server a JS script that runs a DDoS tool.
To do this, he placed a malicious JS script within the avatar image of a fabricated user profile. As with most video sites, this infected user picture would then show up next to any comments wrote by this profile, on Sohu’s video pages.
The hacker was smart enough to write a JS script that would hijack every new browser that accessed a video page with the infected comment, forcing it to run a sent DDoS to the target site.
The hacker programmed the script to send GET requests to the target once a second. Imagine; thousands of users watching a video on Sohu sending malicious GET requests every second. These bad requests add up quickly, quickly growing to millions every minute.
Interestingly enough, the hacker also had the brains to put his infected comment on the most popular and longest playing videos, so the viewers would rack up DDoS requests even faster.
This large security event goes to show that even powerful websites can be manipulated by hackers.
The Wrong Target
Unfortunately for the hacker, he picked the wrong site to DDoS.
As it happens, his target was a client of Incapsula, an experienced DDoS protection service.
When the target site began receiving heavy spikes of GET requests, Incapsula’s team quickly identified the suspicious traffic with a series of progressive identity challenges and behavioral measures. By filtering the bad traffic before it reached the server, the client’s website continued operating smoothly without interruption.
To put an end to the flow of bad traffic, Incapsula’s defense team decided to follow the GET requests back to their source. They hijacked one of the bad requests and replaced data in the target URL with some JS code of their own which tracked the request back to Sohu. Incapsula informed Sohu’s security team who quickly patched the hole that allowed the Persistent XSS.
Where Will the Next Attack Come From?
It’s difficult to say. This case study shows that hackers will use whatever means necessary to take down their targets. Without 3rd party protection services, most websites can only defend what they’ve seen already–they can only react after they have been hit. In this instance, the hacker was clever enough to fly under the radar and avoid detection by Sohu’s watchful IT team.
If the hacker had chosen a target without a DDoS protection service, Sohu might still be a giant DDoS machine causing havoc on innocent websites.