Geekly Articles each Day
📜 ⬆️ ⬇️

EX.UA, LOIC and helpless Ukrainian police

It is not a secret that Ukraine is a country where every “ruler” (deputy, officials and oligarch) thinks that he is smarter than everyone and believes that he controls the process, and later it turns out that no one controlled him. A small analysis of history in the socio-political terms, we and colleagues give on the website of the Foundation for Quality Policy .

What is JS LOIC , this is the simplest and not very well written JavaScript in 50 lines, the technical details of its work, and the like, are outlined below. But its uniqueness is that every browser can be a source of attacks without installing special programs and virus infection. First, every schoolchild and housewife will soon be able to participate in attacks without understanding anything, simply by getting a link and clicking a button on the page. Moreover, it is not necessary to press a button, any mass resource can become the carrier of such a script embedded in it by the owners or intruders (not so important), but such requests will reach their goal.


Since cross-domain AJAX requests in browsers do not work for security reasons, JS LOIC uses a simple technique — dynamically inserting a tag with a picture onto a page, here’s a line from the code that makes all the technique clear:
img.setAttribute("src", targetURL + "?id=" + rID + "&msg=" + messageNode.value);

And this opportunity can not be thrown out of browsers, but with a well-written site, this feature is not very scary. Ideally, the query should not go to the database or to scripts that are executed dynamically, or to access the file system. This is simply solved in Apache, nginx, IIS, in fact, you can filter requests in many ways: at the URL-rewriting stage using regular expressions, also in LOIC, cookies do not delete between calls (because they are created as part of another domain) is another filtering factor, blocking by IP is by itself, and given that many attack through a proxy, all forwarded requests can be immediately dropped. At the same time, officials are crying that they have not been allocated enough money for equipment, and their iron could not withstand the attacks. Low-budget and crooked websites of the Ukrainian authorities did not withstand the attacks, denyushki were plundered even before being developed by shameless officials.
')
But back to the technical aspects, the dynamic insertion of images, i-frames, scripts, in html - not the only and not the most effective way to browser attacks. There is also the JSONP protocol - this is a secure cross-domain query specification, but for a DDOS attack, such a secure specification is also appropriate, here is an example:
 <script type="text/javascript" src="http://targetdomain.com/somePath?parameter1=value1&jsonp=callbackProcName1"> </script>

If the server understands JSONP and the request is completed successfully, the result will return as a call to the callbackProcName1 function ({"Result1": "value1", "SomethingMore": "anotherValue" ...}). But for attacks - getting results is not so important.

image Another technique is much more fruitful in this respect - these are the long-awaited Web sockets and Socket.io , which will expand the toolkit of browser attacks many times over. WebSockets support statistics in the picture. So, that JS LOIC is just the first tests and very soon we will be faced with the fact that fifth grade students will be able to organize in 30 minutes and break everything for the sake of a joke. During elections, for example, or other events, military actions, adoption of laws, speeches of politicians, summits ... the tsatska has already fallen into the hands, now you will not take it away.

You are probably interested in the true reason for your visit to me?


And now back to EX.UA and attacks in Ukraine. What is the result?
1. Sites of state bodies, the police and even the special services of Ukraine have shown their complete helplessness and incompetence. As much as 3 days, everything lay, neither could we raise it in any other place.
2. Politicians and officials are likely to be able to benefit from what happened - there is a good excuse to stop the development of electronic means of interaction of the society with the authorities, electronic services, etc. but the truth is, no one has really developed them, this is really a wonderful reason to completely stop everything.
3. During the next election and Euro 2012 everything will lie.
4. EX.UA is too tidbit to just close for good, who will destroy what can generate good money on advertising, this is not Ukrainian, you just have to renegotiate, re-divide profits with the right people.

UPD: Regarding upload pictures, I remembered another good method, very applicable for attacks:

 images = new Array(); ... images[n] = new Image(); images[n].src = "http://targetdomain.com/images/img"+i+".jpg"; ...


UPD2: In general, it turns out beautifully, while the top officials just stole - everyone was silent, but when they attacked the sacred, deprived of films - the war immediately!

UPD3: Many people are interested in where to get the source code of JS LOIC, you can see them, for example, here: pastehtml.com/view/bmp0uzp8a.html (I don’t design it as a link, so that they do not click on it)

UPD4: The easiest ways of protection available to everyone and implemented in 5 minutes are:

This would prevent the launching of scripts and the circulation of scripts to the database (the main reasons for the load), not to mention that requests can be filtered on the router, but the country did not have enough money to equip the equipment, which we already understood.

And I repeat, it was not the servers that were lying, but the software, they responded to other server ports, and some even gave a page with “HTTP 502 Bad gateway” very smartly. This happens, for example, when nginx stands as a frontend, and on an Apache backend or another server with software (which fell, and the frontend had to protect and cache it).

Source: https://habr.com/ru/post/137571/

More articles:


All Articles