But wait, if DDoS attacks can trigger ads on the target site, and sites make money from ads (and mostly only ads), whose the target?
Can DDoS attacks trigger ads?
TL;DR
Yes. All application / layer-7 DDoS attacks trigger ads on the target site by default. The”visits” resulting from some layer-7 DDoS attack are no different from visits from advanced web scrapers visiting a page. This means layer-7 attacks may end up making money for the target and give the incentive to the target to not disclose such attacks. For ad fraud perps, it gives plausible deniability for otherwise highly suspicious patterns in their traffic profile.
Validation of the findings
To confirm that this is the case, we tested several headless browser solutions, including the widely used phantom.js library, and found that with minimal configuration, most sites showed ads to our bots. It took as a little as minutes to setup a headless browser based visitor bot that captured the ads from the sites it visited. We have repeated the same on a large scale using the commercial “mass scanning” technology by zulu5 [0], where we have been able to prove that almost any site can be made to show almost any ad to a headless browser configuration even when it is not focused on evading detection techniques.
There are dozens of headless browser solutions to choose from [1], with also Google recently announcing a Chrome based one[2]. We did not run actual larger scale DDoS to prove our hypothesis but conducted a brief literature review covering Layer-7 DDoS attacks. All the findings and references are below.
Why is it important if DDoS attacks trigger ads?
In recent reporting by Financial Times[3], a Jihadi website operated by a known terror funder on US State Department sanctions list, was operating a radical website Arrahmah.com that was allegedly making significant money from ads. When investigating further to the claims made by the article, we found that Arrahmah.com was one of the most commonly referenced targets for various groups allegedly working against ISIS online[4]. This can be simply verified through countless pastebin dumps that mention the site [4]. It also seems fair to argue, much in thanks to Cloudflare, that such sites are not adversely affected from regular DDoS attacks. In fact, if the DDoS attack in question uses the right layer-7 technology, the site just ends up making more money than it would have otherwise made. We do not have any first hand information about the case of Arrahmah.com that would allow us to verify if indeed also layer-7 methods had been used, and if yes, to what extent. We also do not have any credible way to confirm if Arrahmah.com had been adversely affected by the DDoS attacks. Below will follow a summary of 3rd-party information that allows us more background to the general question.
There are two other factors that have to be considered in respect to some DDoS attacks having the capacity to trigger ads.
1) DDoS solutions are widely available and could be used to generate massive quantities of fake traffic to sites where ads generate revenue
2) A black hat marketer / spamsite owner could drive massive quantities of traffic to their site by any means, and in case questioned about it, blame a DDoS attack
In short summary, DDoS attacks have the potential for actually generating traffic, and the potential for “plausible deniability” with just a pretense of a supposed attack.
Questionable sites often use shady ad networks to monetize their traffic, and many such ad networks will welcome any spike in traffic with open arms. Regular ad network commission is 50% or more of the revenue generated by the ad impressions on a site in their network. Therefore they do not always have the right incentives to disqualifying suspicious traffic as non-legitimate. Even major networks such as Google have serious issues in proactively dealing with traffic quality. A recent research covering Google’s ad network traffic quality shows evidence for this claim[5].
Limitations related with DDoS as a method to trigger ads
Because ad fraud activity requires javascript ad tags to be loaded, as opposed to just making a connection with the server, most DDoS attack methods / technologies are not suitable for incurring ad revenue on the target site. What we are interested in is referred to as Application Layer or Layer 7 DDoS attacks. Basically this is a way to say the attack is focused on the application as opposed to the network for example. The OSI Model [6] is used to illustrate this in a clear way even to those with no previous understanding of the topic. According to research by Akamai, there have been “51 percent more application layer attacks” from Q4 2013 to Q4 2014 and “16 percent more” from Q3 2014 over Q4 2014 [7].
Within the Application Layer / Layer-7, we are specifically interested in those kinds of attacks where the Javascript on the source code of the target page are actually executed. This requires the attack to utilize one or more of three options:
- headless browser (phantom.js, v8, HtmlUnit, Trifle.js, Splash,etc)[8]
- browser emulator (selenium, etc)
- actual browser (in a compromised host)
When the DDoS attack uses any one of these three, the ads can load normally as they would to a legit user, and potentially generate revenue for the owner of the site.
How common are such DDoS attacks where ads are triggered?
According to multiple commercial reports, headless browser attacks have been on the rise for some years now. This makes sense, given that using a “browser based” approach gives the attack perceived legitimacy, in comparison to say flooding someone’s network with traffic in some simplistic way. According to Radware, in 2015 1 out of every 6 DDoS attacks were web-based (HTTP/HTTPS)[9]. These numbers clearly include simple GET methods, and those attacks will not trigger ads.
Attacks that triggers ads have been witnessed to use a relatively small number of variants in terms of browser headers and yet go undetected.
“In October 2013, for instance, DDoS mitigation service provider Incapsula said one of its customers, a trading platform whose identity it did not reveal, had been subjected to a 150-hour DDoS attack using 861 variants of the headless browser technology Phantom JS to simulate legitimate user browsing behavior and thus avoid detection.” [10]
Even a fraction of the requests in such an attack would create a very high number of ad calls on the target site. At the moment a going rate per ad call is between $0.001 to $0.01 for regular banner ads, with one pageview (page load) may involve up to 15 ad calls (because many ads are placed on one page).
In the case where either the target site or the ad call in question would utilize a common counter ad fraud technology (IAS, DV, WhiteOps, Pixalate, etc), those detection methods would typically fail to detect an ad call resulting from an attack that would utilize common features of headless browsers such as mouse movement [11]. As early as 2010, botnets have been reported to be capable of CAPTCHA breaking.[12]
How do the DDoS traffic volumes compare to site traffic?
In the 150-hour attack reported by Incapsula, there were over 180,000 IP addresses involved world-wide, sending 6,000 hits per second on average, which is nearly nearly 700,000,000 hits per day[13].
According to a report by Sucuri [14], the average attack generates over 7,000 requests per second, which could mean up to 100,000 ad requests. Given that these requests are distributed on average across over ~11,000 IP addresses, the traffic profile is not unlike the largest scale ad fraud sites.
The entire online advertising “bidstream” is roughly 200 billion unique impressions per day, which can ben translated in to roughly 2 million request per second. The largest companies by traffic volume such as Google or Taboola, may deal with up to 100 billion impression events per day. The highest number of ad impressions we know of, per a single entity is 4,4 billion per day and that is the current world record to our knowledge when it comes to impression volume in ad exchanges per a single entity (app, website, etc).
A website which is currently reporting 100 million ad impressions per day (there are hundreds of sites like that), would no doubt struggle to take in all the traffic from a very large scale DDoS attack. But as we can see from the big sites in general when they are under attack, they do try to keep the site live or at least their partners do. For a smart target of a DDoS attack, the goal with the right attacker (headless browser) would be to sustain the attack as long as possible. Basically have the attacker/s work for you for free, in effect make the “hunter” in to prey.
As far as we could conclude, really big attacks go to big targets generally. Smaller targets enjoy smaller attacks. In fact, even a small site under a large attack, could proportionally to its legit revenue “make a lot” from being able to handle even a small portion of the attack. Many such small sites are with Cloudflare which is very good at keeping sites up.
What are the implications?
In the light of the information we have reviewed, it seems fair to argue the following:
- Certain DDoS techniques are triggering ads
- Those triggered ads have the potential for making money for the site owner
- DDoS attacks can be used as an excuse to explain ad fraud related traffic patterns
- Major sites are already used to dealing with VERY high load (hard to take down)
- Even small sites often use Cloudflare (even harder to take down)
Further we conclude that DDoS attacks are a key technique used by “hactivists”. According to a report, Hactivism and Extortion related DDoS attacks are expected to rise [15]. A former U.S. Air Force General Dale Meyerrose said recently [15] that almost every major campaign seeking to compromise an organisation for hactivism reasons has a DDoS component in it.
We were not able to find evidence to put the two together, and estimate to which extent hactivist attacks leverage relevant technologies, such as headless browser based solutions.
REFERENCES:
[0] Brand protection and fraud monitoring
http://www.zulu5.com/en/
[1] A list of (almost) all headless web browsers
https://github.com/dhamaniasad/HeadlessBrowsers
[2] Headless Chrome is coming soon
https://news.ycombinator.com/item?id=11839303
[3] Jihadi website with beheadings profited from Google ad platform
https://www.ft.com/content/b06d18c0-1bfb-11e6-8fa5-44094f6d9c46
[4] Pastebin dumps that mention Arrahmah.com
http://pastebin.com/search?q=arrahmah.com
[5] Independent auditing of online display advertising campaigns
http://eprints.networks.imdea.org/1434/
[6] OSI Model
https://en.wikipedia.org/wiki/OSI_model
[7] State of the Internet Security
https://blogs.akamai.com/2015/01/q4-2014-state-of-the-internet—security-report-some-numbers.html
[8] Wikipedia article on Headless Browsers
https://en.wikipedia.org/wiki/Headless_browser
[9] YoY diversity in DDoS trends
https://security.radware.com
[10] Tackling the DDoS threat to banking
https://www.akamai.com/us/en/multimedia/documents/content/ovum-tackling-the-ddos-threat-to-banking-white-paper.pdf
[11] 2014-2015 Global Application & Network Security Report”
https://www.radware.com/ert-report-2014/
[12] CAPTCHA Solving botnet used in ticket fraud operation
http://www.spamfighter.com/News-14027-CAPTCHA-Solving-Botnet-Used-in-Ticket-Fraud-Operation.htm
[13] Headless Browsers and DDoS attacks
[14] Analyzing popular Layer-7 DDoS attacks
https://blog.sucuri.net/2015/09/analyzing-popular-layer-7-application-ddos-attacks.html
[15] 2016 DDoS attack trends
http://www.radware.com/newsevents/mediacoverage/4-ddos-attack-trends-2016/