Online advertising networks could be used to enlist millions of unsuspecting Web surfers in attacks on other websites, a demonstration at the Black Hat security conference in Las Vegas showed on Wednesday.
It didn’t take long for the victimized test server to begin struggling under the sudden load. In the first hour of the test, during which only $2 was spent on ads, more than 130,000 connections from browsers swamped the server. It wasn’t much longer until the server began falling offline under the growing load.
“We did not hack anybody; we used the way the Web works and brought down our own server,” said Johansen. “We’re just loading images as quickly as possible.”
The test server wasn’t protected by the specialized tools used by some sites to defend against so-called denial of service attacks. However, Johansen said that the low cost of this type of attack and reach of online networks suggest it could be easily scaled up. “It’s really not that much money to do real damage to real sites on the internet.”
At the typical prices for online ads—about 50 cents for 1,000 views—just $500 is enough to get a million contributors, he pointed out. The pair plans to test the attack against more powerful Web servers that have protections against denial of service attacks.
Grossman said the toughest question raised by the technique is not how to solve it, but who’s to blame for the vulnerability. Unlike most new attacks presented at Black Hat, it isn’t enabled by a failing in any one company’s technology. Ad networks, browser designers, and Web protocols all enable this style of attack, he said.
Jeff Debrosse, director of security research at online security company Websense, was less equivocal about who should address the issue. “It is up to the ad networks to remedy this solution,” he said, pointing out that the new research shows that ad networks that block custom code are correct to do so.
These weird virtual creatures evolve their bodies to solve problems
They show how intelligence and body plans are closely linked—and could unlock AI for robots.
A horrifying new AI app swaps women into porn videos with a click
Deepfake researchers have long feared the day this would arrive.
Chinese hackers disguised themselves as Iran to target Israel
But they left a few clues that gave them away.
DeepMind says it will release the structure of every protein known to science
The company has already used its protein-folding AI, AlphaFold, to generate structures for the human proteome, as well as yeast, fruit flies, mice, and more.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.