persistent cross-site scripting (XSS) vulnerability in a popular site that hosts video content enabled an attacker to carry out a distributed denial-of-service (DDOS) attack against a different site, according to California-based website security company Incapsula, which helped mitigate the Thursday attack.
The video content website is one of the largest and most popular and sits in the Alexa top 50, according to a Thursday post by Ronen Atias, a security researcher with Incapsula, who explained that the name of the popular video site and the name of the DDoS target could not be revealed.
“WE USED INCAPSULA’S TECHNOLOGY TO IDENTIFY THE MALICIOUS REQUESTS, INTERCEPT THEM AND RE-ROUTE THEM TO ANOTHER LOCATION WHICH HELD A CUSTOM MADE SCRIPT, [WHICH] TRACED THE REQUEST BACK TO THE DDOS TOOL AND TO THE ABUSED SITE,” ZEIFMAN SAID.
ZEIFMAN SAID HE DOES NOT THINK A DDOS LIKE THIS HAS EVER BEEN CARRIED OUT BEFORE – AT LEAST NOT THROUGH SUCH A PROMINENT WEBSITE – AND ADDED THAT WHAT HE WITNESSED TAKING PLACE APPEARED TO BE MORE OF A TEST RUN, TO SEE IF THIS TYPE OF ATTACK CAN BE EFFECTIVE.
“THE WEBSITE IN QUESTION NEEDS TO DIRECTLY ADDRESS THIS VULNERABILITY; IT IS A WEAK SPOT UNIQUE TO THEIR WEBSITE,” ZEIFMAN SAID. “THE TRICKY PART IS KNOWING THAT SUCH A WEAK SPOT EVEN EXISTS.”
In the end, Incapsula’s client was hit by more than 20 million GET requests stemming from more than 22,000 viewers, according to the post. In a Friday email correspondence, Igal Zeifman, product evangelist with Incapsula, explained to SCMagazine.com how the company picked up on the attack.