[ISN] Falk statement on Bofra attack
isn at c4i.org
Mon Nov 22 07:12:27 EST 2004
By Falk eSolutions
22nd November 2004
Site notice On Saturday, The Register suspended service by third party
ad serving supplier, Falk, following security issues detailed here .
Here is Falk's account of what went wrong:
Incident at delivery level - Between 6:10 AM and 12:30 AM (GMT) on
Saturday, 20th November 2004 Falk sSolutions clients using AdSolution
Global experienced problems with banner delivery. This started on
Saturday morning with a hacker attack on one of our load balancers.
This attack made use of a weak point on this specific type of load
balancer. The function of a load balancer is to evenly distribute
requests to the multiple servers behind it. The system concerned was
only used to handle a specific request type to our ad server and has
now been investigated. The results are outlined in this document.
Description of the problem
The use of a weak point in one of our load balancers type FLB02/CP
lead to user requests not being passed to the ad servers. Instead the
user requests were answered with a 302 redirect to the URL
'search.comedycentral.com' (18.104.22.168). This happened with
approximately every 30th request. Users visiting websites that carry
banner advertising delivered by our system were periodically delivered
a file from 'search.comedycentral.com'. This file tries to execute the
IE-Exploit function on the users' computer. We don't know yet whether
the publishers of 'search.comedycentral.com' are aware of the exploit
or their server has been attacked by a hacker, too.
The weak point occurred due to a memory leak on the load balancer
concerned. After the load balancer was taken out of service on
Saturday at 11:30 AM (GMT) this was no longer possible. Because of
this it was difficult at the beginning to find an error on our side.
The servers that deliver the banners were not affected at all. Only
afterwards we were able to find the error on the load balancer by
analysing its log files.
Results of investigation
By attacking a single load balancer type FLB02/CP it was possible for
users to be redirected to 'search.comedycentral.com' which tried to
install the exploit type 'Bofra/IFrame-Expoit'. With approximately
every 30th request for banner media this redirect occurred.
The load balancer concerned has been taken out of service indefinitely
and has been replaced with a newer model. An additional monitoring has
been instated that supervises the load balancing process and whether
this has been interrupted of manipulated. Further, a policing tool
that supervises redirects to unknown, erroneous or infected files has
More information about the ISN