Chinese Smartphones Used In DDoS Attack

Security researchers have unearthed a distributed denial-of-service (DDoS) attack that used advertising traffic from hundreds of thousands of Chinese smartphones to help knock a website offline.

In the incident, traffic derived from smartphones, as well as a smaller proportion of desktops and tablets, was used to hit a website with about 4.5 billion requests from a total of about 650,000 unique IP addresses during the course of a single day, according to CloudFlare, which said one of its customers had been targeted.

Mobile shift

Attacks making use of malicious traffic drawn over legitimate advertising networks are unusual, but represent a growing threat, CloudFlare said. The incident also highlights the online world’s shift toward a predominance of mobile devices.

China has become a major market for smartphones, recently surpassing the US to become Apple’s top iPhone market.

CloudFlare said it wasn’t possible to determine why so many smartphones were involved – 80 percent of the requests originated from mobile devices, including 72 percent smartphones and 5 percent tablets, compared to 23 percent desktops – but said the malicious ads are likely to have been displayed on sites frequented by mobile users. All but 0.2 percent of the requests originated from China, the company said.

“The most plausible distribution vector seems to be an ad network,” CloudFlare said in an advisory. “It seems probable that users were served advertisements containing the malicious JavaScript. This ads were likely showed in iframes in mobile apps, or mobile browsers to people casually browsing the internet.”

The attack made use of innocuous-seeming ads to redirect users to an attack page, which in turn used JavaScript code to direct requests against the target page, CloudFlare said. More conventional DDoS attacks, by contrast, make use of malicious software implanted on user systems to direct traffic against targets.

Overall, the frequency of DDoS attacks continued to rise during the second quarter of 2015, doubling year-on-year for the third quarter in succession as instances of “mega attacks” also became more common, Akamai said last month.

‘New attack trend’

The incident represents a new form of abuse for online advertising networks, CloudFlare said. Such networks give advertisers access to large numbers of web users, and have been made use of to implant malicious code on users’ systems in a number of recent high-profile incidents.

“Attacks like this form a new trend,” CloudFlare stated. “They present a great danger in the internet — defending against this type of flood is not easy for small website operators.”

Are you a security pro? Try our quiz!