Online advertising networks could be used to enlist millions of unsuspecting Web surfers in attacks on other websites, a demonstration at the Black Hat security conference in Las Vegas showed on Wednesday.
It didn’t take long for the victimized test server to begin struggling under the sudden load. In the first hour of the test, during which only $2 was spent on ads, more than 130,000 connections from browsers swamped the server. It wasn’t much longer until the server began falling offline under the growing load.
“We did not hack anybody; we used the way the Web works and brought down our own server,” said Johansen. “We’re just loading images as quickly as possible.”
The test server wasn’t protected by the specialized tools used by some sites to defend against so-called denial of service attacks. However, Johansen said that the low cost of this type of attack and reach of online networks suggest it could be easily scaled up. “It’s really not that much money to do real damage to real sites on the internet.”
At the typical prices for online ads—about 50 cents for 1,000 views—just $500 is enough to get a million contributors, he pointed out. The pair plans to test the attack against more powerful Web servers that have protections against denial of service attacks.
Grossman said the toughest question raised by the technique is not how to solve it, but who’s to blame for the vulnerability. Unlike most new attacks presented at Black Hat, it isn’t enabled by a failing in any one company’s technology. Ad networks, browser designers, and Web protocols all enable this style of attack, he said.
Jeff Debrosse, director of security research at online security company Websense, was less equivocal about who should address the issue. “It is up to the ad networks to remedy this solution,” he said, pointing out that the new research shows that ad networks that block custom code are correct to do so.