Browser-based Layer 7 DDoS: inside the Chinese smartphone ad attack

DDoS mitigation experts CloudFlare has revealed that when it comes to the attack surface, theory has once again turned into reality with an attack by Chinese smartphones. How does 275,000 HTTP requests per second grab you? Or, put another way, some 4.5 billion requests in a single day against a single domain. By any measure, that’s one heck of a denial of service attack right there. That it originated from a botnet of more than 600,000 unique IPs only adds to the intrigue, especially when the vast majority of the traffic (some 80 per cent) was coming by way of mobile devices. Most of them, 98 per cent, based in China. Simply put, the smartphone browser would be served up an iframe as a container for the advert complete with malicious JavaScript code. This then initiated the mobile device to start flooding the target domain with XMLHttpRequest (XHR) requests, an API available to browser scripting languages. So what is a Layer 7 DDoS attack then? The clue is writ large in the name, and anyone familiar with the Open System Interconnection (OSI) network model will immediately know that layer 7 is the application layer. I’m not going to go into great detail about the OSI model, there’s plenty of information out there and Wikipedia is probably as good a place as any to start if you want to dig into it, but suffice to say it’s a framework consisting of seven layers that are responsible for transporting data from the client to the server and back again. Importantly, each of these layers carries out an assigned function and is essentially its own protocol. Layer 7, as already mentioned, is the application layer and a DDoS attack here can be hard to spot as they manage to mimic human behaviour quite well in interacting with the UI. Theoretically, a Layer 7 DDoS attack might target an individual website element such as a logo and keep downloading it.