
Mobile Ad Brokers as DDoS Distribution Vectors: A Case Study - majke
https://blog.cloudflare.com/mobile-ad-networks-as-ddos-vectors/??
======
3dfan
1187 words, 3 graphics, 6 subheadings, 8 highlighted content sections, a
bulletpoint list... and all to say "An ad with a malicious script was used to
ddos a website. We don't know how it happened, but please use our service!".

Welcome to the wonderful world of content marketing.

------
ahoge
In case anyone wonders about the `!+[1,]` bit:

In modern browsers, `[1,]` is the same as `[1]`. If you coerce it to number,
you get 1. (You get "1" if you toString it.)

In IE8, `[1,]` is the same as creating an array with a length of 2 whose first
slot contains 1 and whose second slot was left empty. It's kinda like `[1,
undefined]`, but there is no "1" key. If you coerce it to number, you get NaN.
(You get "1," if you toString it.)

If you coerce 1 to boolean and negate it, you get false.

If you coerce NaN to boolean and negate it, you get true.

So, basically, it just checks if trailing commas in array literals are handled
incorrectly.

~~~
majke
Interesting explanation. When I last checked that the "!+[1,]" expression
alone was coherent across all the browser but "if(!+[1,])" statement was not.

I think there is something weird about the parsing of the comma in "if"
statement in old IE.

~~~
majke
Correction. There is nothing special in "if". IE9 is just different, as you
explained.

------
notfoss
Anyone else read it as "Mobile Ad Blockers"? I came here curious to see how ad
blockers could be used as DDOS vectors. Well, I guess theoretically, it might
be possible to overwhelm a device with a page which has too many elements to
block, causing the ad blocker to consume a lot of resources.

~~~
maskofsanity
I did :)

------
imron
Another thing to consider, it might not have been an ad network but rather
something like xcodeghost. Some of the most popular Chinese apps were
compromised.

------
forcer
I dont understand how is it possible that browser would allow crossdomain
request from attacker website to victim website? Unless victim has some CORS
headers allowing all sites to query it?

~~~
slipstream-
Wouldn't the browser still make the request even with the CORS headers,
because the server needs to send such headers?

