Browser-Based DDoS Attacks without Javascript

Recently, browser-based distributed denial of service (DDoS) attacks, in which a malicious JavaScript program is distributed through an advertisement network, and runs in the background of the web browser, were observed. In this paper, we address a question whether browser-based DDoS attacks can be realized without JavaScript. We construct new browser-based DDoS attacks based only on HTML functions, and compare them with the existing JavaScript-based DDoS attacks in efficiency.


I. INTRODUCTION
A denial of service (DoS) attack is an attack to make a service unavailable to users by exhausting resources for the service.Especially, when the attack is performed by numerous devices distributed over wide area, it is called distributed denial of service (DDoS) attack.Traditional DDoS attacks are performed in lower layers (Layer 3/4).An attacker makes a malware infect devices and the infected devices send many packets of the lower layer to a target machine, by commands from the command and control (C&C) servers.The infected devices are called bots and the network consisting of bots and C&C servers is called botnet.On the other hand, DDoS attacks performed in the upper layer (Layer 7) have been observed recently.One of the DDoS attacks in Layer 7 is a "browserbased DDoS attacks" in Fig. 1, which attacks use a normal web browser as a bot.The most simple and classic attack method that uses web browser is "F5 attack", but the browser-based DDoS attack is different from that.
An example of browser-based DDoS attacks scenario is based on abuses of advertisement.In the scenario, advertisements including malicious JavaScript that launches DDoS attacks are distributed through the advertisement network.When a user browses a page including the advertisement, the script generates many requests to a targeted server.Compared to traditional DDoS attacks, in this attack scenario, the client does not need to be infected with malwares and attack is initiated simply by browsing an ordinary website on which the advertisement is placed.Furthermore, unlike "F5 attack", the attack is done regardless of the intention of the user.However, the attack is terminated by closing the webpage including the advertisement, and then attacks in this scenario have no persistence.Although it seems that the degree of threat is low at first glance, there were cases of DDoS attacks that actually abused the advertisement network.

Here are two examples:
 In March 2015 DDoS attacks targeting Github and GreatFire.orgoccurred [4].According to reports by GreatFire and Github, it was up to 2.6 billion (req / s), because JavaScript loaded on the web site using Baidu's access statistics service was replaced by JavaScript that generates a request for the target web site In response to the request, it was said that the failure occurred for up to five days.
 In September 2015 DDoS attacks targeting US Security Company CloudFlare occurred [3].CloudFlare reports that this attack supplied a maximum of 275,000 (req/s) requests.In addition, according to CloudFlare report, attacks were delivered through advertising networks, which led to attack pages with malicious JavaScript.
Section 2 reviews related researches on browser-based DDOS attacks.We propose an idea that considers how to form botnets to perform browser-based DDoS attacks that exploit in Section 3. Sections 4 and 5 explain Web functions without JavaScript, and proposed attack methods.Section 6 mentions experimental results of previous and proposed attacks.We conclude this paper in Section 7. II.RELATED WORKS L. Kuppan suggests that there are possibilities of DDoS attacks by abusing HTML5 technologies in web browsers [1].Among them is an idea that browser-based DDoS attacks can be realized by using XMLHttpRequestAPI and WebWorkers.G. Pellegrino et al. discuss the use of JavaScript functions in browser-based DDoS attacks method [2].They describe attacks that use the four APIs of XMLHttpRequestAPI [8], [9], WebSocketAPI [10], Server-Sent Event (SSE) API [11], and imageAPI [12].Three JavaScript APIs among them are capable www.ijacsa.thesai.org of sending HTTP requests per second enough for DDoS attacks and that XMLHttpRequest is the most efficient.

III. BROWSER BOTNET
While a traditional botnet is a network consisting of many infected devices, a browser botnet consists of web browsers that load a page including malicious script.Unlike traditional botnet, it is not necessary for browser botnet to infect clients with malware when it is acquired, and then botnet formation is inexpensive.On the other hand, if the browser window or tab is closed, the attack by the browser is terminated and it has a feature of no persistence.In this section, we present an idea that can be thought of as acquisition of browser botnet.
Recently, several cases of DDoS attacks using browser botnet composed of advertisement networks have been observed.The method of acquiring browser botnets by using the advertising network was proposed in Blackhat2013 [6].Web advertisement is installed in many web sites, and it can be used to prepare a large number of clients as a tool for DDoS attack from its features.The attack cost is much cheaper than malware botnets.According to research by J. Caballero et al. [7], there is a report that the cost per malware 1000 installation is $6 to $140.On the other hand, according to research G. Pellegrino et al. [2], the attack cost per day when attacking the advertisement network is an average of $0.02.It is very inexpensive compared with malware botnet formation.

IV. HTML FUNCTIONS USED FOR ATTACKS
In order to do DDoS attack without using JavaScript, we use dynamic document functions of HTML.The dynamic document function is a function that a web page automatically takes some action and changes the content of the web page dynamically [5].Usually it is used to create pages and animations that change with time, such as stock price information and weather forecast.Most standard browsers support two different dynamic document functions, "client pull" and "server push".

A. Client Pull
Using client pull functions, the web browser can reload a page automatically and repeatedly after an interval.In this research, we use a client pull function, "meta-refresh".
1) meta-refresh: If a value of <meta> http-equiv attribute is "refresh", it causes refreshing pages [5].Its basic usage is as follows: 1: <meta http-equiv="refresh" content="1" 2: url="http://example.com">The attribute content specifies the number of seconds to wait before redirecting, and the attribute url specifies the redirect destination URL and if it is no specified, redirection to the same page occurs.

B. Server Push
Using server push functions, the server can transmit data to the web browser at an arbitrary timing.Unlike client pull, server push maintains HTTP connection until all interactions are finished.As a server push, we use "multipart/x-mixedreplace" in this research.

C. HTML Tags
Requests used for DDoS attacks are generated with HTML tags.In this research, experiments were carried out with the following tags that have no restriction by the same origin policy [13].
1) <img> tag: Images can be displayed in the window by using the img tag.The basic usage is as follows: In addition to PNG/GIF/JPEG image format, a single PDF, etc. can also be specified with the src attribute.There are various other options.
2) <iframe> tag: By using the iframe tag, you can embed an HTML page in the windows.The basic usage is as follows: 1: <iframe src=" http://example.com">www.ijacsa.thesai.orgAny HTML page specified by the src attribute can be displayed inline in the windows.There are various other options.
3) <video> tag: By using the video tag, we can handle movies with standard HTML even without plugins like flash.Its basic usage is as follows: 1: <video src="http://example.com/video.mp4"controls> 2: </video> The video tag accepts various movie formats in the src attribute.It has many options such as source and controls attributes.

4) <audio> tag:
Audio tags can be used to embed audio content in documents.The basic usage is as follows: 1: <audio src=" http://example.com/audio.mp3"controls> 2: </audio> The audio tag accepts various audio formats in the src attribute.There are many options as well as other tags.

V. PROPOSED ATTACK METHODS
A. Attack Methods 1) Attack using meta-refresh: Below is an example code for an attack of the combination of meta-refresh and <img> tag.It is written in php and works in server.
2) Attack using multipart/x-mixed-replace: Below is an example code for an attack of the combination of multipart/xmixed-replace and <img> tag.It is written in php and works in server.Fig. 3 is an attack image diagram where "Server" supplies a malicious advertisement through an Adnet.
3) Attack using XMLHttpRequest: An example code for the DDoS attack using XMLHttpRequest [8], [9] discussed in the related research [2] is as follows:

B. Improve Efficiency
In the dynamic document function, if you simply set the same attack target URL to the src attribute, the browser does not send the second and subsequent requests and shows the response of the 304 Not Modified HTTP status code [14], which is inefficient, as shown in Fig. 4. To avoid this, we attach a random query string to the end of the attack target URL, as shown in Fig. 5.

A. Experiment Environment
Our experimental environment is shown in Table 1.Server side software is Apache 2.4.Client softwares are Firefox49.0.1 and Chrome47.0.2526.We use the apachetop command on the server side to measure HTTP requests.

B. Results
Table II shows the efficiency of the method using XMLHttpRequest, our proposed Browser-based DDoS attacks without JavaScript and the F5attack [15] in the same environment.
In the case of Firefox, the highest request number of 155.0 req/s can be issued on average in the combination of the "multipart/x-mixed-replace, <audio> tag, and existing URL".On the other hand, when the XMLHttpRequest proposed in the related research [2] is reproduced in our experimental environment, the average is 202.4 req/s, and it can be said that JavaScript attack is more efficient.
In the case of Chrome, the average number of requests of 138.5 req/s can be issued in the combination of "meta-refresh, <audio> tag, and no existing URL".On the other hand, the XMLHttpRequest proposed in the related research is 47.5 req/s, and the result that the proposed method attack is overwhelmingly efficient is obtained.Some combinations in the proposed method did not operate on Chrome.
In the combination of "meta-refresh, <audio> tag, and no existing URL", it was possible to constantly generate many HTTP requests both in Firefox and Chrome.
A characteristic feature of the proposed method is that a combination with significant band occupancy was observed.
In case of existing URL, maximum bandwidth occupation is 100 Mbps for multipart/x-mixed-replace with <audio> tag and 38 Mbps for meta-refresh with <video> tag, as shown in Fig. 6 and 7, respectively.In this research, in Firefox, the attack efficiency of average 55.0 req/s in the most efficient combination in the HTMLbased DDoS attack methods is inferior to that of average of 202.4 req/s in the JavaScript-based DDoS method using XMLHttpRequest.However, since the proposed attack methods are HTML-based attacks that do not use JavaScript, it is possible for a web browser that disables JavaScript to be a bot, and the acquisition of browser botnet is even easier.Therefore, even if the efficiency is inferior, they become a threat in acquiring more botnets.In this paper, we proposed browser-based DDoS attack methods that are new methods of browser-based DDoS attacks and do not use JavaScript.Using the dynamic document functions of HTML, we showed in the experiment that browser-based DDoS attack is possible even when JavaScript is disable, and compared and evaluated them with the method proposed in the related research.In Firefox, efficiency was not better than XMLHttpRequest proposed in related research.Chrome, on the other hand, attained more attack efficiency than XMLHttpRequest.The experimental results showed that the efficiency of the same browser varies depending on the combination of HTML functions and tags in the proposed method, and even with the same combination, the experiment shows that efficiency varies depending on the browser.Since we examined our proposed attack methods only in two desktop version web browsers, Firefox and Chome, we will also experiment with other web browsers (e.g.IE/Edge, Opera) and mobile version web browsers.We will investigate other web functions for browser-based DDoS attacks and mitigation methods for our attacks.

Fig. 2 .
Fig. 2. Multipart/x-mixed-replace.1) Multipart/x-mixed-replace: It is a special mime-type content type header in a server response.The server response consists of multiple parts delimited by a boundary character string, and the server can send each part separately[5].The basic usage is as shown below, and the operation image is as shown in Fig.2.1: Content-type:multipart/x-mixed-replace;boundary=End 2: --End 3: Content-type: image/jpg 4: <tag src="http://example.com"> 5: --End 6: Content-type: image/jpg 7: <tag src= "http://example.com">8:--EndA response is divided into multiple data blocks with the boundary character string determined by the boundary attribute, and each part is sent separately.The browser receives each part and renders it, and after a new part is received, it replaces the previously rendered part.This function can be repeatedly used by using the boundary character string.

Fig. 4 .
Fig. 4. No query string at the end of the URL.

Fig. 5 .
Fig. 5. Random query string at the end of the URL.

TABLE II .
Results the unit is request per second [Req/s]