Imperva Discovers New DDoS Attack that Abuses HTML5 Ping-Based Hyperlink Auditing Feature

Imperva experts Vitaly Simonovich and Dima Bekerman have discovered a large-scale DDoS attack abusing the HTML5 Ping-based hyperlink auditing feature, Security Affairs reported.

The DDoS attack peaked at a massive 7,500 requests per second and delivered more than 70 million requests over a four-hour period from around 4,000 user IPs.

“We recently investigated a DDoS attack which was generated mainly from users in Asia. In this case, attackers used a common HTML5 attribute, the <a> tag ping, to trick these users to unwittingly participate in a major DDoS attack that flooded one web site with approximately 70 million requests in four hours,” reads the analysis published by Imperva.

“Rather than a vulnerability, the attack relied on turning a legitimate feature into an attack tool. Also, almost all of the users enlisted in the attack were mobile users of the QQBrowser developed by the Chinese tech giant Tencent and used almost exclusively by Chinese speakers.”

Experts believe that attackers used a mix of social engineering combined with malvertising to trick WeChat users into opening the browser.

Ping is a command in HTML5 that specifies a list of URLs to be notified if the user follows a hyperlink. When the user clicks on the hyperlink, a POST request with the body “ping” will be sent to the URLs specified in the attribute. It will also include headers “Ping-From,” “Ping-To” and a “text/ping” content type. This attribute is useful for website owners to monitor/track clicks on a link.