14 DAY TRIAL // CloudFare's administrators are reporting that a DDoS attack was detected against their infrastructure and that it involved an advertising network and unsuspecting users visiting random websites where malicious ads were being shown.
The attack was only a few hours long but managed to reach a peak volume of 275,000 HTTP requests per second. The company is also reporting they successfully mitigated the attack without any downtime to the target.
As CloudFare reports, they speculate that this was a new type of DDoS, one that used ad networks and unsuspecting users.
The attack funneled real traffic from real persons
According to the company's researchers, they suspect random users navigating the Web from their desktop or mobile browsers were served an iframe which contained an ad.
The iframe requested the ad's content from the advertising network, which in turn requested the ad's content from the servers of the person who won that particular ad placement bid.
Unknown to the user and the ad network, the winner of the bid (attacker) served a malicious ad which contained JavaScript code that launched an XHR (Ajax) request aimed at the victim (in this case, a website hosted on the CloudFare infrastructure).
The attack originated from China
The attack was very innovative in its approach, and according to CloudFare, it didn't involve TCP packet injection, looking like real day-to-day traffic.
After analyzing millions of log lines, CloudFare says that 99.8% of the traffic came from Chinese IP addresses. The attackers may also be from the same country, mainly because of comments left in the malicious JavaScript, which were also in Chinese.
72% of the users used a mobile device, 23% used a desktop browser, while 5% of the users were surfing the web from their tablet. Additionally, a lot of user agent strings also contained data hinting the traffic came from mobile apps, not necessarily Web browsers.
