Understanding DDoS Attacks via Malicious JavaScript and Mitigation with HTTPS and Subresource Integrity

Distributed denial‑of‑service (DDoS) attacks are among the oldest and most common threats to websites. Nick Sullivan, a systems engineer at CloudFlare, explains how attackers exploit malicious sites, server hijacking, and man‑in‑the‑middle (MITM) attacks to launch DDoS campaigns, and how HTTPS together with the upcoming Subresource Integrity (SRI) web technology can protect sites.

Modern websites rely heavily on JavaScript, which is added either directly in HTML or via a <script src=""> tag that loads code from remote locations. While JavaScript can make asynchronous HTTP(S) requests, it can also turn the browser into an attack weapon. The following script demonstrates how a simple image‑flood can generate a flood of requests to a victim site:

function imgflood() {  
  var TARGET = 'victim-website.com'
  var URI = '/index.php?'
  var pic = new Image()
  var rand = Math.floor(Math.random() * 1000)
  pic.src = 'http://'+TARGET+URI+rand+'=val'
}
setInterval(imgflood, 10)

This script creates ten <img> elements each second, each pointing to victim-website.com with a random query parameter. If a user visits a page containing this code, their browser unknowingly participates in a DDoS attack against the victim site.

Many websites use popular third‑party JavaScript libraries to save bandwidth and improve performance. For example, about 30 % of sites used jQuery in 2014, and other common libraries include the Facebook SDK and Google Analytics. When a site includes a <script src="..."> tag that points to a third‑party hosted file, every visitor downloads and executes that file. If an attacker compromises the hosting server and injects DDoS code into the library, all visitors become part of the attack – a classic case of server hijacking.

HTTP lacks a built‑in mechanism to forbid the execution of tampered scripts. To address this, the W3C has proposed Subresource Integrity (SRI), which allows a site to specify a cryptographic hash of the script it expects the browser to run. The browser computes the hash of the downloaded file and compares it to the provided value; a mismatch prevents execution.

<script src="https://code.jquery.com/jquery-1.10.2.min.js"
        integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Twh+Y5qFQmYg="
        crossorigin="anonymous"></script>

The integrity attribute contains the hash, and the crossorigin attribute enables the browser to fetch the resource anonymously for verification. While Chrome and Firefox are adding support, many browsers still do not fully implement SRI.

Man‑in‑the‑middle attacks represent a newer method for injecting malicious JavaScript. As a user’s request traverses multiple network nodes, any compromised node can inject malicious code into the page, effectively turning the user’s browser into an attack platform.

Encryption can completely block such code injection. By enforcing HTTPS‑only connections and properly managing certificates, all communication between the browser and the web server is encrypted and authenticated, preventing third parties from modifying the page in transit and thereby mitigating MITM‑based script injection attacks.