A few days ago this new story has been published:
Researchers have found that the HTML feature called hyperlink auditing, or pings, is being used to perform DDoS attacks against various sites. This feature is normally used by sites to track link clicks, but is now found to be abused by attackers to send a massive amount of web requests to sites in order to take them offline.
In new research by Imperva, researchers have found that HTML pings are being utilized by attackers to perform distributed denial of services attacks on various sites.
The article goes on describing the attack that basically executed some JS to add a link with ping attribute and automatically ”click every second”.
It goes on in the same usual way describing that attackers are supposed to have “used social engineering and malvertising to direct users to pages hosting these scripts”.
Strangely it does not mention the victims, but just says these were “gaming companies”.
The question now is, especially considering they have used JS anyway, why did not they just use any other form of requests?
I admin, usual AJAX requests may have been problematic, as the attacked websites likely do not have CORS headers set, so they would have been blocked by the browser as they violate the same origin policy, but usually CORS does not apply to
<img tags e.g.…
So they could just have used that.
Why did they choose the
ping attribute for that, and are they thus more dangerous than other (common) methods for DDoSing?