The BBC reports the attack was found by security research firm Cloudflare this week. An engineer on call to one of the company’s customers was drawn into investigating the cause of a flood of traffic to a server. The vast number of requests being made ultimately led the researchers to the massive smartphone botnet.
Most DDoS attacks — where a server is so overwhelmed with artificial requests that it cannot respond to legitimate traffic — have tell-tale signs that reveal they are not just a spike in visitor numbers. Many automated scripts only identify themselves very simply but the requests involved in this attack carried fully-formed identification headers for actual web browsers.
This quickly suggested that real devices were involved. Further examination of referrer URLs found that the requests originated from China and that 72 percent of them came from mobile devices.
The most likely explanation for the attack is that the smartphones were served infected code in advertisements on webpages and in apps. When the advert was displayed on the device, the malicious code would run and begin spamming the target web server.
Unfortunately, Cloudflare has little else to go on. One particular point of note is that it’s still unknown how so many users came to have contact with the infected advertisements. The hackers may have signed up to a commercial network and paid to have their ad displayed to as many users as possible but the exact entry point is still only speculative.
The attack is one of the first of its kind where real phones and web browsers have been coordinated without the knowledge of the user and hijacked to bring web servers offline. It is thought that such methods will become more common in the future as more examples are made. Cloudflare warns browser-based hacks are a “great danger to the Internet” as defending against them can be very difficult, especially when operating only a small server.
In total, the target that Cloudflare analysed received 4.5 billion requests for data in just a single day of the attack. The BBC notes that the massive figure equates to more traffic than it receives on its network in an entire month.