- Researchers notice a weird DDoS attack that involved thousands of Chinese QQBrowser users.
- The attack was conducted through the “pingback” command, normally used for legitimate purposes.
- The users were probably tricked through malvertising and followed a link via a WeChat room.
As reported by Imperva researchers, there has been an incident of an HTML5 Pingback DDoS attack that lasted for four hours, generated a peak RPS (requests per second) of 7500, and produced an overall of 70 million requests. What piqued the interest of the researchers was the fact that most of the 4000 IPs that took part in the DDoS attack were coming from China, something unusual. By investigating further, they found that both the “ping-from” and the “ping-to” values pointed to “http://booc.gz.bcebos.com/you.html”.
A possible scenario through which this type of attack could have been set up and carried out would involve social engineering and malvertising. As the WeChat app is quite popular in China, and as it uses QQBrowser to open links by default, it is likely that the point of the link injection was a popular WeChat room. The following diagram shows how this could have worked for the actors, putting thousands of unbeknownst users in the scheme.
QQBrowser just happened to be the tool for this particular attack, but that doesn’t mean that other browsers are safe from being exploited by a ping-based DDoS attack. To the contrary, major browsers like Chrome, Safari, and Opera, will even strip away the very capacity that the users had to disable hyperlink auditing, part of which the POST requests and pingback commands are. This has previously sparked discussions on the users’ privacy protection, as getting away from online tracking will become much harder, but the DDoS attack that we explored in this post paints yet another dire picture for the functionality of the browsers — that of taking part in DDoS attacks without being able to stop it.