Incapsula said that the Sohu.TV video streaming portion of the website was used to enable the DDoS attack.
The attack should serve as an object lesson to other tech giants. For instance, Google, with YouTube as its subsidiary, has an analogous business model. “While being relatively unfamiliar to Western audiences, Sohu (Chinese for ‘Search-fox’), is a local and global powerhouse,” wrote Incapsula security researchers Ofer Gayer and Ronen Atias, in a blog. “This rapidly growing $2.5 billion organization provides a variety of search and content solutions.”
Incapsula uncovered the source of the browser-based DDoS attack and the replicated persistent cross-site scripting (XSS) vulnerability that allowed it to occur, and the Sohu team responded with a rapid patch that fixed the security hole, rendering this particular browser-based botnet completely useless.
Sohu, as a high-profile video content provider, allows its users to sign in with their own profiles. The DDoS attack was enabled by a persistent XSS vulnerability that allowed the offender to inject JavaScript code into the image tag associated with the profile image. As a result, every time the image was used on one of the the site’s pages (e.g., in the comment section), the malicious code was also embedded inside, waiting to be executed by each future visitor to that page.
As a result, each time a legitimate visitor landed on that page, his or her browser automatically executed the injected JavaScript, which in turn injected a hidden iframe tag with the address of the attacker's command-and-control domain. There, an Ajax-scripted DDoS tool hijacked the browser, forcing it to issue a DDoS request at a rate of one request per second.
The video is the key to success for this attack.
“Obviously one request per second is not a lot,” the researchers said. “However, when dealing with video content of 10, 20 and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising 10s of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.”
By intercepting the malicious requests, Incapsula was able to track the source of the attack to Sohu by replacing the content of the target URL with a snippet of its own JavaScript.
While this issue is patched, the attackers could be gearing up for a new, and perhaps bigger, offensive.
“It should be noted that…the original DDoS tool on the attacker’s C&C domain was replaced with a much more robust version,” said Gayer and Atias. “This leads us to believe that what we saw yesterday was a sort of proof-of-concept test run. The current code is not only much more sophisticated, but it is also built for keeping track of the attack, for what seems like billing purposes. From the looks of it, someone is now using [this] to set up a chain of botnets for hire."