People have grown so dependent on websites to shop, travel, and socialize that we often forget how easy it is to slow or completely shut down the underlying server. A case in point is a new lightweight script that causes many websites to falter.
Dubbed FlashFlood, the looped JavaScript bombards a website with requests in a way that bypasses server defenses designed to protect against crashes. It can be run from computers with modest bandwidth and hardware resources. Researchers from security firm WhiteHat Security said attackers could lure unwitting participants into taking part in denial-of-service attacks, through cross-site scripting (XSS) attacks, or by tricking large numbers of people into visiting an innocuous-looking link. In a blog post published Tuesday, they wrote:
It works by sending tons of HTTP requests using different parameter value pairs each time, to bypass caching servers like Varnish. Ultimately it’s not a good idea to ever use this kind of code as an adversary because it would be flooding from their own IP address. So instead this is much more likely to be used by an adversary who tricks a large swath of people into executing the code. And as Matt points out in the video, it’s probably going to end up in XSS code at some point.
FlashFlood is particularly potent against heavy database-driven sites if they rely on caching to protect themselves. Many sites running on Drupal are a good example. The researchers estimate it would take anywhere from four to 40 machines to take down an average Apache system. "I've run into the problem before where people seem to not understand how this works, or even that it's possible to do this, despite multiple attempts at trying to explain it multiple times," WhiteHat Security researcher Robert Hansen wrote.