DDoS protection vendors and security researchers started seeing JSLOIC in use as early as January 2010. It was used it was used A number of times during the AnonOps, Operation Payback attacks,. More recently it has been used by the “Izz ad-Din al-Qassam” cyber fighters to attack US banks and financial institutions in 2012-2013. JSLOIC left its mark in history as a web based attack tool that could be used to engage the masses in a virtual sit-in DDoS attacks without ever having to download the attack program.
The overall recorded size of attacks utilizing JSLOIC has been small, averaging less than 100Mb/Sec, but nonetheless this tool has been used to successfully attack websites which are not protected against the onslaught of requests. Once a website has been targeted by JSLOIC, there is a possibility that DDoS attacks from the tool will continue reoccurring for years. Since JSLOIC is uploaded to a web server, unless the malicious page is removed there is a possibility a random visitor could stumble upon the JSLOIC page, automatically re-starting an attack years later.
JSLOIC is classified as a HTTP GET Attack. The crafted requests themselves consist of Successive HTTP GET requests directed at the target website with a randomized URL and an optional message.
Normally, the JSLOIC website loads a control interface where a target is pre-configured and is ready to attack at a click of a button. Sometimes the attack is launched simply by opening the JSLOIC page. This can lead to accidental involvement in a DDoS attack by unsuspecting users visiting the page. From analyzing the JSLOIC code, we can also see that it could be used within a web page without indicating an attack is being launched.Sites vulnerable to Cross Site Scripting could be used to host the malicious code without any outward indications, making their legitimate visitors unwitting participants in a large scale attack. However in common practices this tool clearly displays its control interface and target website.
The real power of JSLOIC is the ability to involve the population of the internet in an attack. Through the use of social media, attackers could ultimately involve countless individuals that are oblivious, willing or unwilling, in a large DDoS attack. Because the attack is launched from the browser there is no need for the attackers to install any additional software in order to participate in the attack. This makes it much easier for the general public to participate in a DDoS attack. Although occurrences of JSLOIC attacks are on the decline, this tool could very likely appear at the forefront of DDoS news in the not so distant future.
Due to the nature of JSLOIC, it must be conducted in a browser. This makes JSLOIC attacks easier to detect than other attack tools because the URL of the JSLOIC page will be used as the referrer on every request. In most cases websites which allow the uploading of HTML pages are used to host the JSLOIC code. This makes spotting and blocking such requests a straight forward task for security teams as there would be a large influx of traffic from sites that otherwise would not be regularly referring traffic to the target website.Security teams can use this referrer data to block the malicious attack in a layer 7 security devic.
As with all website security vigilance is paramount, and having a dedicated security team or DDoS protection service can make the difference between gracefully mitigating a JSLOIC DDoS attack, or a complete outage.
Network Engineering , DOSarrest Internet Security