How Can Someone Do A Denial Of Service Attack With JavaScript

All we need is an easy explanation of the problem, so here it is.

I was recently reading this cloudfare article about JavaScript Denial Of Service and I didn’t understand how it could work. From what I’ve learned JavaScript is a client side language and can’t interact with a server (please correct me if I’m wrong, I’ve been coding for a year and I’m still a n00b =3). I tried to add my own twist on it. But A. it’s not effective (I didn’t think it would be) and B. I didn’t notice any change in traffic. The actual code is located if you want to take a look at it. I understand it wouldn’t be too effective to even do it in JavaScript and especially with one computer.

So my question is, how would you do it. I just don’t understand how it could work even after reading the cloudflare article and there’s not a lot of discussion about it

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

It works because it’s a distributed denial of service attack, not just a denial of service attack. You sneak that code snippet into a lot of webpages that a lot of people visit (e.g. by including it inside a library that does something useful that other developers will pick up and use). From the article:

In September 2014, RiskIQ reported that jQuery.com’s website was
compromised, which hosts a very popular JavaScript library that could
have easily been replaced with a malicious one. The threat of
attackers injecting malicious JavaScript into millions of sites is no
longer theoretical.

A lot of websites out there use jQuery or other libraries by including remote javascript source files (instead of making local copies of them; by using the remote version your web page may load a tiny bit faster for your users, and of course you get new features and bug/security fixes “for free”). If the javascript source files were compromised, every website out there that included them would be serving the compromised versions to their visitors, so every one of their users would be participating in the DDoS.

The DDoS itself just works by overloading the target web server with requests. Imagine you’re working at a fast food restaurant: if one person comes in and orders dinner, you can handle that. If the entire city suddenly shows up and starts shouting their orders at you, you’ll be too overwhelmed to fulfill even one order let alone all of them.

Method 2

A great, real-life, demonstration of this attack was carried out by the “Great Cannon“.

It intercepted unencrypted traffic and inserted a small script. All the script did was send non-malicious requests to the target server. The attack was so large scale that millions of requests were intercepted, causing a massive amount of traffic hitting the target web server.

The target server was unable to process these requests and became unavailable for users, causing a Denial of Service. Since the overwhelming traffic came from lots of hosts it is called Distributed Denial of Service.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

Leave a Reply