Video Site Hole Linked to DDoS Hit

Tuesday, April 29, 2014 @ 05:04 PM gHale


It appears a vulnerability in Sohu.com, a video content provider, ended up leveraged by attackers this month to launch large-scale distributed denial of service (DDoS) attacks, researchers said.

Sohu, which translates as “search fox,” is China’s eighth largest web site. It provides online media, gaming, search, community and mobile services. While Sohu is not popular among users in the West, it’s currently number 27 of the most visited website in the world.

RELATED STORIES
DDoS Attacks a Smokescreen for Data Theft
Users Breaching Security Policies
Execs Not Seeing All Security Facts: Report
DDoS Techniques Changing

The attackers found a cross-site scripting (XSS) vulnerability in Sohu.TV, the company’s video streaming service, said researchers at Incapsula. Sohu officials patched the hole after Incapsula notified them.

“Once we uncovered the source of the browser-based DDoS attack and replicated persistent XSS vulnerability that allowed it to occur we immediately went on to share our findings with Sohu security team,” Incapsula researchers said.

“With this information in hand Sohu team could quickly evaluate the problem and respond with a rapid patch which fixed the security hole, rendering this browser-based botnet completely useless,” the researchers said.

Incapsula discovered the attack technique after one of their customers suffered a DDoS attack involving 20 million GET requests coming from more than 22,000 web browsers.

The attackers didn’t compromise the computers of 22,000 users. Instead, they leveraged the persistent XSS flaw to inject JavaScript code into the tag associated with the images on Sohu profiles.

The profiles in question were able to post comments on popular videos. Each time one of these videos loaded, the malicious code embedded inside the profile image executed, launching a DDoS attack against the designated target.

The GET requests went out at a rate of one per second. With some videos up to 30 minutes long, and a large number of users were viewing the same video at any given time, it was enough to disrupt a website that didn’t use any DDoS protection.



Leave a Reply

You must be logged in to post a comment.