Browser-based Layer 7 DDoS: inside the Chinese smartphone ad attack
DDoS mitigation experts CloudFlare has revealed that when it comes to the attack surface, theory has once again turned into reality with an attack by Chinese smartphones.
How does 275,000 HTTP requests per second grab you? Or, put another way, some 4.5 billion requests in a single day against a single domain. By any measure, that’s one heck of a denial of service attack right there. That it originated from a botnet of more than 600,000 unique IPs only adds to the intrigue, especially when the vast majority of the traffic (some 80 per cent) was coming by way of mobile devices. Most of them, 98 per cent, based in China.
So what is a Layer 7 DDoS attack then? The clue is writ large in the name, and anyone familiar with the Open System Interconnection (OSI) network model will immediately know that layer 7 is the application layer. I’m not going to go into great detail about the OSI model, there’s plenty of information out there and Wikipedia is probably as good a place as any to start if you want to dig into it, but suffice to say it’s a framework consisting of seven layers that are responsible for transporting data from the client to the server and back again. Importantly, each of these layers carries out an assigned function and is essentially its own protocol. Layer 7, as already mentioned, is the application layer and a DDoS attack here can be hard to spot as they manage to mimic human behaviour quite well in interacting with the UI. Theoretically, a Layer 7 DDoS attack might target an individual website element such as a logo and keep downloading it.
According to CloudFlare engineer Marek Majkowski a number of things drew attention to the headers of the request, well millions of requests, that flagged attention to the flood in this case. Firstly, it looked legit, and proper requests issued by real browsers are less common than the norm “with weird Accept-Language or User-Agent headers” that Majkowski says are issued by Python or Ruby scripts.
Although Majkowski admits that explaining the distribution vector involved is speculative in nature, CloudFlare is pretty confident that the attack didn’t involve a TCP packet injection but rather that it used an ad network (see his technical blog post as for why). What’s rather worrying is that it’s most likely that the malicious advert would be served up from an ad-network on an ‘auction’ basis. In other words, the bad guys have bid high and splashed the cash as an investment. They know that if they pay enough then the distribution would be great enough for the attack to work. Exactly how they hope to monetise this is unclear, although speculation must rest at the blackmail end of the spectrum I would imagine.