Chinese attackers have been using HTML Anchor tags to perform DDOS attacks across the world these days. This is one such instance where a seemingly benign feature addition done to the HTML technical specification has inadvertently opened a Pandora box of its misuse/abuse by hackers and attackers.
As mentioned in my introductory article to HTML Anchor Tags, Anchor tags are used to link documents present on the word wide web so that users of a web page can easily navigate to a new web page seamlessly from their web browsers.
An example of HTML code using anchor tags looks something like this:
<a href="https://muddoo.com" title="Muddoo Home">Muddoo</a>
While the above code is a standard way of using HTML anchor tags, there are also additional anchor tag attributes one can use to add new features to the anchor tag’s overall functionality. In our previous article we looked at the noopener attribute that ensures that when the respective anchor links are opened in a new window, they are opened in a separate thread all together and have no relationship to the parent web page in anyways. This ensured that Cross Site Script (XSS) attacks could not be made from child web page to the parent page.
Just like the noopener attribute, we have another attribute associated with the anchor tags that some hackers are misusing to perform DDOS attacks on other websites. This attribute is the “ping” attribute of the anchor tags!
What is HTML Ping Attribute?
Ping is a new attribute of an Anchor tag that was introduced in HTML5 specification. Ping attribute would list a set of one or more URLs that are pinged back whenever a user of a web page follows a hyperlink from that anchor tag.
The idea of introducing Ping attribute to anchor tags was to enable web administrators track clicks on that hyperlink. An example of how this attribute looks like is shown below:
<a href="https://google.com" ping="https://muddoo.com/tracker">Go to Google</a>
So in the above example, whenever a user clicks on “Go to Google” hyperlink, he will be taken to the Google home page, but at the same time, a ping POST message is sent back to the https://muddoo.com/tracker webpage for muddoo.com website to keep track of number of users going to Google through that hyperlink.
But the problem occurred when some of the Chinese hackers started using this innocuous feature to perform DDOS attacks on many websites. They simply created web page with links to standard websites such as Alibaba or Tabao, while using ping back links to their target websites. They specifically targeted people using QQBrowser (from Chinese giant Tencent) to use their web pages to reach standard websites. This resulted in millions of Ping request going back to targeted websites thus acting as a DDOS attack on these websites.
How to prevent Anchor Tag Ping attacks from your web pages?
With good understanding of how the attack is being performed, you must be wondering how you can prevent such DDOS attacks originating from your websites or getting attacked by one. But unfortunately, there are no clear solutions in place as the support for Ping requests are part of HTML 5 specifications so all browsers will be supporting it (well, more or less), so your only best possibilities will be to keep monitoring such activities on your web server and take appropriate action at the right moment.
Hope this article gave good introduction to the possible Ping DDOS attacks happening due to the presence of Ping attribute in the HTML Anchor tags. This article has been part of series of articles that I have been writing about HTML tags with this being the third article on HTML Anchor Tags.
If you would like to take a look at other two articles, you can follow these links:
Introduction To HTML Anchor Tag
What is noopener vulnerability found in anchor tags of HTML?
Until next time, happy coding! 🙂