In practice, there are many ‘better’ ways to execute a Distributed Denial of Service (DDoS) attack, however one programmer has uncovered a flaw in the ‘Notes’ feature within the social network site Facebook that could put such an attack tool into the hands of millions.

In a blog post over the weekend, Chaman Thapa described how, by using Facebook’s HTML image tag within notes, he was able to launch what amounted to a DDoS attack against the site that is included in specially constructed but simple code. Thapa was able to create a large influx of HTTP requests to a target server by creating a list of unique image tags which were sent to the ‘m.facebook.com’ interface.  He reports that thousands of the HTTP GET requests hit the target server in just a couple of seconds:

“Facebook Notes allows users to include <img> tags.  Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once, however, [and by] using random GET parameters the cache can be bypassed and the feature can be abused to cause a huge HTTP (Hyper Text Transfer Protocol) GET flood.”

Here’s the translation – Facebook has a standard behavior of caching an image just once.  Using simple code, Thapa was able to trick Facebook into looking at one image as multiple images. This means that Facebook then crawls the target server as many times as the trick is implemented with random ‘GET’ parameters.  The result is a flood of requests for the same image over and over again, eating up resources on the target server including network, cpu and memory.

180,000 Facebook hits

This kind of traffic could quickly scale up to an attack on the DDoS level.  Large files like videos and PDFs appear to have an even bigger impact compared the smaller image sizes initially discussed. For example, in Thapa’s findings, by using the trick on a 13 MB PDF file, Thapa was able to report 900 Mbps of outgoing traffic. Twelve of Facebook’s servers hit the server 180,000 times in an attempt to fetch the PDF. Facebook received notice of the issue through its bug bounty program, a type of program that openly rewards the community with cash awards for uncovering issues. However, the company declined this particular issue in the program as described in an email response to Thapa:

Thank you for being patient and I apologize for the long delay here. This issue was discussed, bumped to another team, discussed some more, etc. In the end, the conclusion is that there’s no real way to us fix this that would stop “attacks” against small consumer grade sites without also significantly degrading the overall functionality. Unfortunately, so-called “won’t fix” items aren’t eligible under the bug bounty program, so there won’t be a reward for this issue. I want to acknowledge, however, both that I think your proposed attack is interesting/creative and that you clearly put a lot of work into researching and reporting the issue last month. That IS appreciated and we do hope that you’ll continue to submit any future security issues you find to the Facebook bug bounty program.

There are a number of reasons why this is not much of a cutting-edge DDoS threat. Foremost is the fact that, from the target server, such repeated requests from Facebook’s servers are easily blocked.  Those looking to launch a truly effective DDoS attack are more likely to utilize attack types that are very difficult to block. Another unfortunate reality in the world of DDoS attacks is that the ability to launch a massive attack is very cheap and easy to implement.  Technically ‘superior’, cheaper and persistent are the qualities of your everyday DDoS attacks that seem standard today, especially when compared to this Facebook flaw.

Still, there is the possibility that this could scale up to be a pesky nuisance for Facebook if word of this flaw spreads, especially if widely implemented  by casual, would-be hackers.

photo credits: Malingering via photopin cc & Thapa