HTML5 Ping is a common HTML5 attribute, which was found to have been turned into a DDoS attack tool. In this latest saga, thousands of Tencent QQ browser users from China were cheated into phishing websites. As the same old story went, they clicked some deceptive links that contain malicious codes. Millions of requests were then generated and directed to the victims with the use of the HTML <a> ping attribute.

“Ping” is a common attribute added to HTML5 for sending collected information like ad tracking, click rates, etc. to a specific site by sending a POST request that consists of headers “Ping-From”, “Ping-to” and a “text/ping”. As many as 4,000 Chinese QQ browser users are believed to have participated unwittingly in a 4-hour attack, during which 70 million requests were made, or 7,500 requests per second.

But let’s be fair. The Tencent QQ browser shouldn’t be all to blame. Literally any browser can be turned into bots as long as the user is not vigilant enough. Abusing Ping requests to launch DDoS attacks is nothing new. Just a year ago, Wordpress-powered websites were exploited to send junk HTTP POST requests. As history repeats and will repeat itself, let’s assume attackers will continue to abuse web browsers and take advantage of unsuspecting users to flood their attack targets. 

Implications for Nexusguard clients

As a typical application attack, HTML5 Ping attack can easily be recognized and is characterized by the presence of “Ping-to” and “Ping-from” in the HTTP Headers. Since its discovery this attack signature has been profiled and is now kept in our mitigation platform. It won’t be able to cause a sting to the customers under our or partners’ protection.