HTML5 Hyperlink Pings Used in DDoS Attacks

A new type of DDoS is actively being exploited against various sites by using an HTML5 feature referred to as hyperlink auditing, or pings. Imperva researchers observed an attack that delivered 70 million ping requests over a four-hour period from an estimated 4,000 IP addresses. The ping feature is a legitimate tracking method used to track clicks on website links and is included in normal online hyperlink code. The attack involved web pages, primarily gaming sites, with two external JavaScript files. One of these files included a range of URLs that were targets of the DDoS attack. Researchers assess that malvertising, or a malicious advertisement, was used in a combination of malware and social engineering to attract users to the pages hosting the script. The NJCCIC recommends users avoid clicking on advertisements and instead navigate directly to the URL. We also advise website and application operators who do not need to receive ping requests to block any Web requests that contain “Ping-To” and/or “Ping-From” HTTP headers on the edge devices (Firewall, WAF, etc.).