CNN DDoS Attacks Demystified
April 23rd, 2008By Supranamaya Ranjan
Over the last 24 hours, several security researchers have analyzed the tools that were distributed to launch the DDoS attacks against CNN. The interested reader can get an analysis of the 3 tools at Dancho Danchev’s blog.
The attack tool that caught my attention is the one in which the ‘hacktivists’ via mailing lists and forums urged users to do one of the two following things. The more tech savvy users or the generals were urged to install an executable after which they would be able to serve a web page on their web site (e.g., hackerhf.com/cnn.html, etc.). This web page would then load www.cnn.com continuously (almost once per second) in a frame. The lesser tech savvy ones or the soldiers were asked to simply point their browser towards the web pages set up by the generals. As long as they kept their browsers up and running, requests would be sent towards CNN’s homepage continuously, thereby throttling either the bandwidth around CNN or Akamai, its Content Distribution Network or bringing CNN’s web server infrastructure to its knees.
Interestingly, just this geo-political activism was able to generate enough traffic at CNN so that legitimate users’ requests were delayed from 1 seconds on a usual day to 4 seconds times on Sunday morning for 3 hours (source: Netcraft) . Note however that requests were never dropped and everyone was able to browse CNN albeit slowly.
A packet trace analysis of what happens when a soldier logs on to one of the generals’ sites reveals the following sequence of HTTP requests that are generated:
Sequence of http requests
Most interestingly, note that the next group of HTTP requests to CNN start after 1 minute (time gap between request IDs 124 and 4910). In other words, this tool allows a Firefox client with default settings to generate attacks at a highly modest rate of once per minute. Interestingly, the frame embedding CNN definitely appeared to be refreshing itself much faster than that, at 20 times per minute. Every browser has a parameter where the browser sends requests to check for new content on an existing site at a particular rate. For instance, for Firefox:
“browser.cache.check_doc_frequency [Integer] (3) - This setting determines how often Firefox checks for newer versions of the page you are viewing. This setting is similar to Internet Explorer’s ‘Check for newer versions of stored pages’ setting. If set to 0 Firefox only checks once per browser session; if set to 1 Firefox checks every time a page is viewed; if set to 2 Firefox never checks (i.e. it always uses the version stored locally in your browser cached); and if set to 3 (the default) Firefox checks at automatically determined intervals. If you browse mostly pages which update their content extremely often (i.e. a few times a day) you may wish to set this to 1 though it will slow down browsing speed. The default of 3 is best for fastest browsing on most connections. You can experiment to see if 0 suits your needs, but don’t use a value of 2.”
One does wonder whether the hacktivists instructed their users to change the default Firefox setting from 3 to 1, where requests would be generated to CNN as fast as the frame refreshes. And assuming that 100% of the users had done this browser setting change, then would CNN’s response time have increased exponentially? May be then it would have crumbled to the attack!
It also makes one wonder which problem is easier: detecting attacks launched by human armies or that launched by botnets?