Here’s a fun one I got to play with the other day. It’s not so much a vulnerability but some bad coding that could have presented itself to look like a denial of service attack. It triggered rate controls on the WAF, which will often get my attention. Then I looked and saw it was mostly coming from a single IP address. Right there, you can almost immediately rule out DDoS, because the first D is for “distributed”. A single IP isn’t very well “distributed”.
Looking into the IP address, I noticed that it was coming from a media outlet in Latin America. I haven’t seen too many news orgs that want to DoS a site. Plus, all the requests were all going to the same file on a customer’s site, and it was pretty innocuous. It was just a story that was relevant to the news org.
Next, I looked a little more into the file that was being called. I put the URL into a browser and I got a white screen. Nothing. But looking a little more closely, I could see that the page just kept reloading. A “View ->Source” of the page showed nothing. Blankness. Nothing was loading, even though the page was reloading endlessly. What was causing that?
Let’s take a piece out of the transaction. Remove the browser. I opened up terminal and did a curl of the URL and got a response. Included in the response, in the header was:
<head><meta http-equiv="refresh" content="0;url=/removed/index.html"> </head>
So why did the media site link to this page if it never loads? I suspect the link was old and the refresh changed after the page had been linked. Then everyone who clicked on the link on the media site, to this reloading site, probably left it running for at least a few seconds or possibly just left it running in a browser tab and waited. You get enough of these at the same time and it can look like a DoS. But as we can see, if it looks like a DoS, smells like a DoS and quacks like a Dos, it might still not be a DoS.