Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic.
The attack worked by exploiting a Web application vulnerability on one of the biggest and most popular video sites on the Web, according to a blog post published recently by researchers at security firm Incapsula, which declined to identify the site by name. Malicious JavaScript embedded inside the image icons of accounts created by the attackers caused anyone viewing the users' posts to run attack code that instructed their browser to send one Web request per second to the DoS victim. In all, the technique caused 22,000 ordinary Web users to unwittingly flood the target with 20 million GET requests.
"Obviously one request per second is not a lot," Incapsula researchers Ronen Atias and Ofer Gayer wrote. "However, when dealing with video content of 10, 20, and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos."