Distributed denial-of-service (DDoS) attacks are ever increasing and the attackers are using novel and sophisticated ways to carry out their malicious acts. A new way is to use Facebook ‘Notes’ as a mechanism to trigger DDoS attack using the image, <img> ,tag according to Chaman Thapa, known as ‘chr13’ who wrote in a blog recently.
Facebook Notes allows users to include <img> tags. Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it,” Thapa wrote.“Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.
He explained the steps needed to be taken in the blog one by one. The users can tag 1000 images in one Facebook Note or the same image can be tagged a 1000 times. Suppose each image is at least 1 Mb and if 100 users try to see the note at the same time then the amount of parallel requests for Facebook servers is already huge that is 1 * 100 * 1000 = 100,000 Mb or 97.65 Gb.
This can become even bigger if the image file is replaced with some other file of larger size. For example, Thapa used PDF file of 13 Mb and demonstrated that the impact can be huge.
“Getting rid of the browser and using the poc script I was able to get ~900 Mbps outbound traffic,” Thapa wrote in his blog. He continues:
“I was using an ordinary 13 MB PDF file which was fetched by Facebook 180,000+ times, number of Facebook servers involved was 112.”
He found similar issues with Google also which means that the method can be easily replicated to other services. After reporting the issue to Facebook, Thapa got a reply from them telling him that they will not fix it. Facebook wrote:
“In the end, the conclusion is that there’s no real way to us fix this that would stop “attacks” against small consumer grade sites without also significantly degrading the overall functionality.”
Thapa criticized Facebook for not taking it seriously. He wrote:
“I’m not sure why they are not fixing this. Supporting dynamic links in image tags could be a problem and I’m not a big fan of it. I think a manual upload would satisfy the need of users if they want to have dynamically generated image on the notes.“
Read More about it on Thapa’s Blog