Browser-based Layer 7 DDoS: inside the Chinese smartphone ad attack


DDoS mitigation experts CloudFlare has revealed that when it comes to the attack surface, theory has once again turned into reality with an attack by Chinese smartphones.

How does 275,000 HTTP requests per second grab you? Or, put another way, some 4.5 billion requests in a single day against a single domain. By any measure, that’s one heck of a denial of service attack right there. That it originated from a botnet of more than 600,000 unique IPs only adds to the intrigue, especially when the vast majority of the traffic (some 80 per cent) was coming by way of mobile devices. Most of them, 98 per cent, based in China.

Simply put, the smartphone browser would be served up an iframe as a container for the advert complete with malicious JavaScript code. This then initiated the mobile device to start flooding the target domain with XMLHttpRequest (XHR) requests, an API available to browser scripting languages.

So what is a Layer 7 DDoS attack then? The clue is writ large in the name, and anyone familiar with the Open System Interconnection (OSI) network model will immediately know that layer 7 is the application layer. I’m not going to go into great detail about the OSI model, there’s plenty of information out there and Wikipedia is probably as good a place as any to start if you want to dig into it, but suffice to say it’s a framework consisting of seven layers that are responsible for transporting data from the client to the server and back again. Importantly, each of these layers carries out an assigned function and is essentially its own protocol. Layer 7, as already mentioned, is the application layer and a DDoS attack here can be hard to spot as they manage to mimic human behaviour quite well in interacting with the UI. Theoretically, a Layer 7 DDoS attack might target an individual website element such as a logo and keep downloading it.

If this Layer 7 DDoS attack is the start of a trend, then it is bad news for the smaller web operators as it’s a pig to defend against[/perfeectpullquote]

According to CloudFlare engineer Marek Majkowski a number of things drew attention to the headers of the request, well millions of requests, that flagged attention to the flood in this case. Firstly, it looked legit, and proper requests issued by real browsers are less common than the norm “with weird Accept-Language or User-Agent headers” that Majkowski says are issued by Python or Ruby scripts.

Then there was the fact that this was a POST with an origin header, issued by an Ajax (XHR) cross origin call and a referrer pointing to the website issuing the queries against the server. This was a browser-based L7 flood in action, using malicious JavaScript to hook targets into becoming part of the attack; because any device with a browser can be enrolled, in this case smartphones in China, the potential attack volume is all but unlimited.

It was this attack volume that really attracted the attention of Majkowski and CloudFlare, as the creation of the JavaScript code isn’t that difficult but distributing it any meaningful quantity is. “An efficient distribution vector is crucial in issuing large floods” Majkowski says “up until now I haven’t seen many sizable browser-based floods.” Peaking at more than 275,000 HTTP requests per second, this certainly qualified as large!

Although Majkowski admits that explaining the distribution vector involved is speculative in nature, CloudFlare is pretty confident that the attack didn’t involve a TCP packet injection but rather that it used an ad network (see his technical blog post as for why). What’s rather worrying is that it’s most likely that the malicious advert would be served up from an ad-network on an ‘auction’ basis. In other words, the bad guys have bid high and splashed the cash as an investment. They know that if they pay enough then the distribution would be great enough for the attack to work. Exactly how they hope to monetise this is unclear, although speculation must rest at the blackmail end of the spectrum I would imagine.

There’s no doubting that if this Layer 7 DDoS attack is the start of a trend, then it is bad news for the smaller web operators as it’s a pig to defend against without some serious infrastructure in place. And a trend it could well be. The notorious DD4BC attack group has already been noted to be “incorporating a Layer 7 attack as part of a multi-vector attack” for example. That said, our general DDoS mitigation advice still stands – especially the bit about using a cloud-based mitigation network. Oh, and at the risk of a little controversy, you could always disable JavaScript as well, which would have stopped this one in its tracks.